b"\x0c\x0cEvaluation of Defense Installation Vulnerability Assessments\n                                                                               May 23, 2006\n       Who Should Read This Report and Why?\n       This report should be read by military and civilian managers throughout the\n       Department of Defense who have responsibility for developing, coordinating,\n       or implementing policy or practices relating to organizing, resourcing, or\n       assessing the Defense Critical Infrastructure Protection program. The report\n       documents observations and recommendations of our program evaluation and\n       summarizes resulting management actions.\n       What Was Identified?\n       Doctrine and organization changes driven by the Global War on Terrorism\n       were incomplete. Protection and assurance concepts were disjointed, and\n       coordination of associated programs could be improved. Through its Full\n       Spectrum Integrated Vulnerability Assessment effort, the Office of the\n       Assistant Secretary of Defense for Homeland Defense was attempting to\n       address a significant part of this problem. This effort required coordination\n       between multiple staff elements within the Office of the Secretary of Defense.\n       How It Could Be Improved?\n       We recommended that the Assistant Secretary of Defense for Homeland\n       Defense should clearly decouple unique Defense Critical Infrastructure\n       Protection efforts from Full Spectrum Integrated Vulnerability Assessment\n       development. The success of the Defense Critical Infrastructure Protection\n       program should not depend on a larger program integration effort.\n       Progress Review.\n       Our February 2005 briefing to the Assistant Secretary of Defense for\n       Homeland Defense generated decisions and staff direction. As of November\n       2005, the Office of the Assistant Secretary of Defense for Homeland Defense\n       had improved many aspects of the Defense Critical Infrastructure Protection\n       program. Our recommendations caused or influenced the following actions.\n         \xe2\x80\xa2   The Joint Staff J3, Deputy Director for Antiterrorism and Homeland Defense\n             proposed changing the definition of force protection to include all hazards.\n             The Director, Defense CIP amended the definition of \xe2\x80\x9cmission assurance\xe2\x80\x9d\n             and included it in DoD Directive 3020.40.\n         \xe2\x80\xa2   Defense CIP program officials chose preparedness as the concept overarching\n             mission assurance and force protection. Acceptance of mission assurance as\n             a complementary concept to force protection was increasing. The National\n             Guard and the Defense Contract Management Agency demonstrated\n             significant progress assessing non-DoD critical assets. Program officials\n             worked with other OSD offices to realign responsibilities to reduce identified\n             gaps and overlaps.\n         \xe2\x80\xa2   The Assistant Secretary of Defense for Homeland Defense needed to\n             complete the development of program policy and assessment standards that\n             address all assets critical to DoD missions.\n         \xe2\x80\xa2   The Assistant Secretary of Defense for Homeland Defense published interim\n             threat, vulnerability, and criticality standards. His Principal Deputy\n             established a field activity combining program management for Continuity of\n             Operations, Continuity of Government, and Defense CIP.\n         \xe2\x80\xa2   The Assistant Secretary of Defense for Homeland Defense actively pursued\n             implementation funding and controlled Defense CIP funding within the\n             Program Operating Memorandum in a discrete program element.\n       Much remains to be done as the program matures and continues to change in\n       response to current events.\n\n                                    Office of the Inspector General of the Department of Defense\n                                                                         Report No. IE-2005-001\n\x0cGENERAL INFORMATION\n\nForward questions or comments concerning the evaluation of Defense Installation Vulnerability\nAssessments and other activities conducted by the Inspections & Evaluations Directorate to:\n\n                                Inspections & Evaluations Directorate\n                   Office of the Deputy Inspector General for Policy & Oversight\n                     Office of Inspector General of the Department of Defense\n                                        400 Army Navy Drive\n                                   Arlington, Virginia 22202-4704\n                                       crystalfocus@dodig.mil\n\nAn overview of the Department of Defense Office of Inspector General mission and\norganizational structure is available at http://www.dodig.mil.\n\n\nTO REPORT FRAUD, WASTE, AND ABUSE\n\nContact the DoD OIG Hotline by telephone at (800) 424-9098, by e-mail at hotline@dodig.mil\nor in writing:\n\n                                     Defense Hotline\n                                     The Pentagon\n                                     Washington, D.C. 20301-1900\n\n\nREPORT TRANSMITTAL\n\nWe are providing this report for information and use. We considered management comments to\nour findings in preparing this final report. Assistant Secretary of Defense for Homeland Defense\ncomments conformed to the requirements of DoD Directive 7650.3, \xe2\x80\x9cFollow-up on General\nAccounting Office (GAO), DoD Inspector General (DoD IG), and Internal Audit Reports,\xe2\x80\x9d\nJune 3, 2004; therefore, additional comments are not required.\n\nWe also forwarded this report, as required by DoD Directive 7650.3, to the Audit Followup\nDirectorate. The evaluation team included the results of a progress review in this report. We\nconsidered management actions acceptable and all recommendations closed. We did not request\nadditional action.\n\n\n\n                                                   Wm Brem Morrison, III\n                                                   Assistant Inspector General\n                                                    for Inspections and Evaluations\n\x0c                              TABLE OF CONTENTS\n\nExecutive Summary                                                                 1\nIntroduction\n      Background                                                            5\n      Objective                                                             6\n      Early Implementation Review                                           6\nProgram Evaluation\n      Issue 1.   Definition Changes                                          8\n      Issue 2.   Program Responsibilities                                   11\n      Issue 3.   Assessment Standards                                       15\n      Issue 4.   Program Roles                                              18\n      Issue 5.   Program Funding                                            21\nEvaluation Response to Management Comments                                       23\nProgress Review                                                                  24\n\n\n\n                                   List of Appendixes\n\nA.    Methodology                                                                28\nB.    Briefing to the Assistant Secretary of Defense for Homeland Defense        30\nC.    Management Comments                                                        42\nD.    Acronym List                                                               48\nE.    Report Distribution                                                        49\n\x0cThis Page Intentionally Left Blank\n\x0cExecutive Summary\nDefense Installation Vulnerability Assessments\n     Background: In response to terrorist events, potential threats, and the increasing\n     reliance on evolving information infrastructure, the Administration established a\n     commission on national CIP in July 1996. The attacks of September 11, 2001 caused a\n     major programmatic shift toward the protection of physical assets, especially in the\n     continental United States (CONUS). At the national level, Congress established the\n     Department of Homeland Security and assigned responsibility for national CIP to the new\n     department. Homeland Security Presidential Directive 7 outlined the national CIP\n     program and tasked DoD with responsibility for the Defense Industrial Base. The\n     Secretary of Defense established U.S. Northern Command in February 2003 and the\n     Office of the ASD(HD) in May 2003. In September 2003, the Deputy Secretary of\n     Defense transferred Defense CIP oversight to the ASD(HD). While making significant\n     changes to the program, the ASD(HD) recognized the value of an independent review\n     and requested this evaluation. We initiated this project on June 17, 2004.\n     Evaluation Objective: Our objective was to evaluate policy and process for performing\n     vulnerability assessments associated with Defense CIP, to include the Defense Industrial\n     Base. Specifically we:\n        \xe2\x80\xa2 evaluated proposed Defense CIP policy and program organization for Defense\n            and non-Defense assets; and\n         \xe2\x80\xa2 reviewed the effectiveness of the conduct of vulnerability assessments of Defense\n            activities.\n     Early Implementation Review: In this review we assessed vulnerabilities, challenges,\n     and successes of a new          Figure 1. Project Timeline\n     program during the start-up                                Program Evaluation                          Progress Review\n     period. The Office of the\n     Assistant Secretary of Defense Project        Project                   Brief to the Final Issue Paper              Publish\n                                                                                                            Start  End\n     for Homeland Defense           Request         Start                     ASD(HD)        Transmitted                 Report\n\n\n     [ASD(HD)] was a new office                                   Research / Data Collection / Analysis       Production       Fieldwork       Production\n\n     having recently received\n     responsibility for Defense      Jan 04        Jun 04\n                                                       1         2\n                                                                               Feb 05            Jul 05\n                                                                                                          3\n                                                                                                           Oct 05 Nov 05 Mar 06\n                                                                                                                           4   5           6                7\n     Critical Infrastructure\n                                          Assistant Secretary of Defense for Homeland Defense requested the project.\n                                                      1\n     Protection (CIP). Our priority       Program Evaluation started based on the availability of resources.\n                                                      2\n\n                                          We briefed program evaluation results to the Assistant Secretary (requestor).\n                                                      3\n     for this review was to provide       We provided Issue papers to program management as we completed them.\n                                                      4\n\n     timely findings and                              5\n                                          We began the progress review.\n                                                      6\n                                          We completed data collection on program progress.\n     recommendations focused on                       7\n                                          We distributed program evaluation and progress review results.\n     overall program effectiveness.\n     Context: This report collates products provided directly to officials with responsibility\n     for the Defense CIP program. We conducted the review in two primary phases (Program\n     Evaluation and Progress Review) as shown in Figure 1.\n\n\n\n                                                             1\n\x0c    We provided a summary of our program evaluation findings to the ASD(HD) on\n    February 17, 2005. Subsequently, we provided the Director, Defense CIP with a detailed\n    discussion of each identified issue and our recommendations. We began the progress\n    review in October 2005 after allowing 8 months for Defense CIP officials to implement\n    our recommendations. Our results are presented in the Progress Review section.\n\n\nProgram Evaluation Results\n    Observations: During our fieldwork, we determined that program managers within the\n    Office of the ASD(HD) established strategic goals for the Defense CIP program. These\n    goals were:\n       \xe2\x80\xa2   to make available Defense critical infrastructure as required;\n       \xe2\x80\xa2   to identify, prioritize, assess, and assure that Defense critical infrastructure is\n           managed as a comprehensive program;\n       \xe2\x80\xa2   to remediate or mitigate, based on risk, vulnerabilities found in Defense critical\n           infrastructure; and\n       \xe2\x80\xa2   to ensure Defense CIP will complement other DoD programs and efforts.\n    In addition, program managers within the Office of the ASD(HD) had taken actions to\n    improve the program. They:\n       \xe2\x80\xa2   published program strategy, prepared draft policy, and conducted program\n           assessments and gap analyses;\n       \xe2\x80\xa2   increased staffing, reorganized responsibilities, and actively engaged stakeholders\n           on multiple levels;\n       \xe2\x80\xa2   proposed strategic concepts, developed common program definitions, and pursued\n           systemic solutions; and\n       \xe2\x80\xa2   gained control over program funding and recognized the need for continued\n           advocacy within the planning, programming, budgeting, and execution system.\n    Based on our review of documentation and interviews with responsible officials, we\n    identified five areas of stress in the program.\n       \xe2\x80\xa2   Asset Location: DoD owned, used, and relied on assets located both within and\n           outside the United States. Overseas presence and operations created bureaucratic\n           and jurisdictional gaps and overlaps.\n       \xe2\x80\xa2   Asset Ownership: DoD owned significant assets, but was dependent on many\n           outside its control. Success of Department operations relied on other government\n           agencies, the Defense Industrial Base, and assets owned by host nations.\n       \xe2\x80\xa2   Program Nexus: The Services, combatant commands, and Defense sectors all had\n           a different focus. The Services focused on assets they owned, primarily their\n           installations. Combatant commanders focused on warfighting assets, primarily\n           equipment and supplies. Lead agencies for the Defense sectors concentrated on a\n           narrow range of nonwarfighting assets. Non-DoD assets received insufficient\n           attention.\n\n\n\n                                             2\n\x0c    \xe2\x80\xa2    Program Participation: Legal issues surrounding implementation of Defense CIP\n         at non-DoD organizations were not resolved. In addition, the role of the National\n         Guard was unclear.\n    \xe2\x80\xa2    Threats Addressed: Policy developed over time addressed the human threat,\n         primarily in response to terrorist events including the bombing of Khobar Towers,\n         the U.S.S. Cole, and the attacks of 9/11. However, as evidenced by the impacts of\n         Hurricane Katrina, nonterrorist events can equal or exceed man-made impacts.\nFigure 2 illustrates the\nDefense CIP asset\nuniverse. The                                                                     Asset Location\nmulticolored field                                                         CONUS                      OCONUS\nproportionally                                      I                      ASD(HD)\n                                                                                                             II\nrepresents all assets\n                                                                  Key National Assets\nrequiring Defense CIP\ncriticality assessment,                                                         NON-DOD ASSETS\n                                 ASSURANCE\n                                 Program\n\n\n\n\n                                                          Defense Industrial Base\norganized by asset                (Joint Readiness)\n                                Combatant Commands                                    Defense Sectors\nownership. The field is\n                                                      National Guard\nproportionally divided                                Defense Nonwarfighting Assets\ninto four quadrants:                                  Joint\n\nvertically by                    PROTECTION Army                                    DOD ASSETS\n                                  (Unit Readiness)    Navy\ngeographic location and                Services       Marine Corps\n                                                      Air Force\nhorizontally by                                   IV                                                         III\npredominant CIP-\nrelated readiness                                 Figure 2. Defense CIP Asset Universe\nactivity. In quadrants I\nand II, shading from dark to light reflects policy and implementation gaps, where white\nrepresents the absence of coverage. Assurance programs, including Defense CIP, are less\ndeveloped. As shown in quadrants III and IV, protection programs provide relatively\ncomprehensive coverage of DoD warfighting assets, including Service- and Joint-owned\nassets. Assurance program immaturity leaves gaps in the overall management of Defense\nnonwarfighting assets and non-DoD assets, especially assets located outside the\ncontinental United States (OCONUS).\nProgram Evaluation General Conclusion: Doctrine and organization changes were\nincomplete. The fundamental concepts defining protection and assurance were\ninsufficiently developed and coordinated, and the division of roles and responsibilities\namong associated programs could be improved. Through their Full Spectrum Integrated\nVulnerability Assessment effort, ASD(HD) attempted to address a significant part of this\nproblem. However, the effort required coordination and integration of programs under\nthe responsibility of multiple staff elements within the Office of the Secretary of Defense.\nProgram officials should clearly separate specific Defense CIP efforts from Full\nSpectrum Integrated Vulnerability Assessment development.\nRecommendations: We made six observations as a result of our evaluation, five of\nwhich included recommendations for improvement. We made no recommendation\nregarding our observation concerning stakeholder inclusion.\n\n\n                                                  3\n\x0c       \xe2\x80\xa2   Definitions. Responsible officials needed to update and complete definitions\n           related to protection and assurance to incorporate current executive-level\n           Homeland Security and CIP concepts.\n       \xe2\x80\xa2   Responsibilities. The Office of the Under Secretary of Defense for Policy needed\n           to reassign and modify protection and assurance program responsibilities to unify\n           the programs under one overarching concept, increase attention to non-DoD\n           assets critical to DoD missions, and rationalize the geographic overlap between\n           subordinate offices.\n       \xe2\x80\xa2   Assessment Standards. The ASD(HD) needed to complete the development of\n           program policy and assessment standards that address all assets critical to DoD\n           missions.\n       \xe2\x80\xa2   Program Roles. The ASD(HD) needed to modify program responsibilities to\n           include assigning the Joint Staff and combatant commanders management of\n           warfighting assets and establishing a new Defense Field Activity to manage DoD\n           nonwarfighting and non-DoD assets.\n       \xe2\x80\xa2   Funding. The ASD(HD) needed to control program funding for program staff and\n           support to stakeholders, obtain and allocate funding for vulnerability assessments,\n           and advocate funding for mitigation of risk-based vulnerabilities.\n\nProgress Review\n    Results: We conducted a progress review from October through November 2005.\n    ASD(HD) developed and improved many aspects of the Defense CIP program following\n    our debrief in February 2005.\n       \xe2\x80\xa2   Definitions. Defense CIP officials in the office of the ASD(HD) published\n           definition changes in agreement with our recommendations within DoD Directive\n           3020.40, but had not submitted changes for inclusion in Joint Publication 1-02.\n       \xe2\x80\xa2   Responsibilities. Defense CIP program officials considered preparedness as the\n           overarching concept for mission assurance and force protection. While\n           acceptance of the concept of mission assurance was increasing, the Office of the\n           Secretary of Defense had not yet fully accepted preparedness as the unifying\n           construct.\n       \xe2\x80\xa2   Assessment Standards. ASD(HD) had prepared draft guidance but still needed to\n           develop consistent criticality methodology, threat communication processes, and\n           vulnerability assessment standards for critical assets.\n       \xe2\x80\xa2   Program Roles. ASD(HD) and the Defense Contract Management Agency had\n           several ongoing initiatives addressing the Defense Industrial Base, but a lack of\n           responsibility for assessment of non-DoD critical assets located OCONUS\n           remained. The Principal Deputy Under Secretary of Defense for Policy approved\n           the establishment of a field activity that will combine program management for\n           Continuity of Operations, Continuity of Government, and Defense CIP.\n       \xe2\x80\xa2   Funding. Finally, ASD(HD) established a program element to identify the\n           Defense CIP implementation budget and planned to decentralize execution to the\n           Services starting with the FY 2008 budget.\n\n\n                                            4\n\x0cIntroduction\nBackground\n    In response to terrorist events, including the bombing of the Khobar Towers, and the\n    increasing reliance on evolving information infrastructure, the Administration established\n    a commission on national Critical Infrastructure Protection in July 1996. Presidential\n    Decision Directive No. 63, \xe2\x80\x9cCritical Infrastructure Protection\xe2\x80\x9d (PDD-63), May 22, 1998\n    (PDD-63), defined critical infrastructure as \xe2\x80\x9cphysical and cyber-based systems essential\n    to the minimum functions of the economy and government.\xe2\x80\x9d PDD-63 also defined\n    vulnerabilities, including \xe2\x80\x9cequipment failure, human error, weather and other natural\n    causes, and physical and cyber attacks.\xe2\x80\x9d\n    In response to PDD-63, DoD reissued DoD Directive 5160.54, \xe2\x80\x9cCritical Asset Assurance\n    Program (CAAP),\xe2\x80\x9d January 20, 1998. DoD Directive 5160.54 expanded the requirement\n    to identify, analyze, assess, and assure critical assets across the full range of military\n    operations. However, the anticipated calendar year 2000 (Y2K) software problem\n    focused national CIP program efforts during 1998 and 1999 on preventing cyber attacks\n    to ensure the continuity and viability of critical information systems in the United States.\n    DoD also reissued DoD Directive 2000.12, \xe2\x80\x9cDoD Antiterrorism/Force Protection\n    (AT/FP) Program,\xe2\x80\x9d April 13, 1999. The language of DoD Directive 2000.12\n    concentrated on the protection of personnel and reflected the prevalent attitude that\n    terrorism occurred outside the United States.\n    The attacks of September 11, 2001, caused a major programmatic shift toward the\n    protection of physical assets, especially in the United States. At the national level,\n    Congress established the Department of Homeland Security and assigned to that\n    Department responsibility for national CIP. DoD was tasked specifically with\n    responsibility for the Defense Industrial Base. Homeland Security Presidential\n    Directive 7 outlined the national CIP program, and Directive 8 defined national\n    preparedness. The Secretary of Defense established U.S. Northern Command in\n    February 2003 and assigned it responsibility for force protection in CONUS. The\n    Secretary of Defense established ASD(HD) in May 2003.\n    In September 2003, the Deputy Secretary of Defense transferred responsibility for\n    Defense CIP oversight to the ASD(HD). Figure 2 below illustrates the location of\n    Defense CIP in the Office of the Secretary of Defense. As of November 2005, Defense\n    CIP was one of six programs under the responsibility of the Deputy Assistant Secretary\n    of Defense for Force Planning and Employment. The Director, Defense CIP divided\n    program responsibility among three deputies: Strategy and Policy, Operations, and\n    Enterprise Architecture.\n    In September 2003, the Deputy Secretary of Defense realigned oversight of the Defense\n    Critical Infrastructure Protection (CIP) Program to the Assistant Secretary of Defense for\n    Homeland Defense (ASD[HD]). ASD(HD) primary Defense CIP responsibilities are to\n        \xe2\x80\xa2 act as the principal staff assistant and civilian advisor to the Secretary;\n        \xe2\x80\xa2 represent DoD with the Department of Homeland Security;\n\n\n                                              5\n\x0c         \xe2\x80\xa2       prepare and present budget submissions to the Office of the Secretary of Defense\n                 (OSD);\n         \xe2\x80\xa2       represent DoD before the U.S. Congress; and\n         \xe2\x80\xa2       develop analytical standards and procedures to ensure effective analyses and\n                 assessments.\n     Figure 2. Defense CIP Organization\n\n\n                                                                       SECDEF\n\n     Under                Acquisition,               Personnel                                 Comptroller /\n     Secretaries          Technology,                    &                   Policy           Chief Financial         Intelligence\n     Of Defense           & Logistics                Readiness                                    Officer\n\n\n     Assistant                Special Operations /        International                                           International\n     Secretaries                                                                        Homeland\n                                 Low Intensity              Security                                                Security\n     of Defense                                                                          Defense\n                                   Conflict                  Affairs                                                  Policy\n\n\n\n     Deputy Assistant                                        Security                  Force Planning           Strategy, Plans,\n     Secretaries of Defense                                Coordination               and Employment            and Resources\n\n\n\n                                                             Domestic                 Critical             Domestic\n                                                           Civil Support          Infrastructure          Combating\n                                                              Domain                Protection            Terrorism\n     Directors\n\n                                                                           Domestic            Domestic            Domestic\n                                                                           Defense               WMD             Special Events\n                                                                            Domain              Domain             Terrorism\n\n\n\n\nObjective\n    The ASD(HD) requested the Inspector General review implementation of the analytical\n    standards and procedures. We initiated this project on June 17, 2004. Our overall\n    objective was to evaluate policy and processes for performing vulnerability assessments\n    associated with Defense CIP, to include the Defense Industrial Base. Specifically, we:\n        \xe2\x80\xa2 evaluated proposed Defense CIP policy and program organization for Defense\n            and non-Defense assets; and\n        \xe2\x80\xa2 reviewed the effectiveness of the conduct of vulnerability assessments of Defense\n            activities.\n\nEarly Implementation Review\n    We define an early implementation review as a study that assesses vulnerabilities,\n    challenges, and successes of a new initiative or program during the start-up period.\n    Although Defense CIP was not a new program, ASD(HD) was a new office that had\n    recently received responsibility for the program. Program officials were new to their\n    responsibilities and were making significant changes. Our priority for this review was to\n    provide timely findings and recommendations focused on overall program effectiveness.\n\n\n\n\n                                                                 6\n\x0cThe remaining sections of this report collate the products provided directly to officials\nwith responsibility for the Defense CIP program. We conducted the review in two\nprimary phases (Program Evaluation and Progress Review) as shown in Figure 1.\n\nFigure 1. Project Timeline\n\n                             Program Evaluation                                          Progress Review\n\n\nProject       Project                              Brief to the Final Issue Paper                                  Publish\n                                                                                  Start           End\nRequest        Start                                ASD(HD)        Transmitted                                     Report\n\n\n                  Research / Data Collection / Analysis           Production               Fieldwork       Production\n\n\n\nJan 04        Jun 04                                  Feb 05                   Jul 05   Oct 05   Nov 05            Mar 06\n   1             2                                            3                  4        5            6                7\n\n\n  1    Assistant Secretary of Defense for Homeland Defense requested the project.\n  2    Program Evaluation started based on the availability of resources.\n  3    We briefed program evaluation results to the Assistant Secretary (requestor).\n  4    We provided Issue papers to program management as we completed them.\n  5    We began the progress review.\n  6    We completed data collection on program progress.\n  7    We distributed program evaluation and progress review results.\n\n\n\nWe conducted fieldwork for the program evaluation from June 2004 through February\n2005. The objective of the evaluation was to assess policy and process for performing\nvulnerability assessments associated with Defense CIP. We provided a summary of our\nfindings to the ASD(HD) on February 17, 2005 (see Appendix B). This was our primary\nproduct for the program evaluation phase. During the briefing we provided the\nASD(HD) with five opportunities for program improvement and an overarching\nrecommendation designed to provide sufficient information for executive decisions.\nSubsequently, we provided the Director, Defense CIP with a detailed discussion of each\nidentified issue including our recommendations. One issue did not include\nrecommendations; therefore, we provided no additional information beyond the briefing.\nWe began the progress review in October 2005, after allowing 8 months for Defense CIP\nofficials to implement our recommendations. The progress review was designed to\nevaluate the value of our recommendations to program management, determine their\nimplementation, and ascertain significant program changes. We interviewed Defense\nCIP program officials, the ASD(HD) Comptroller, and representatives with Defense CIP\nprogram responsibility in the Joint Staff and Defense Contract Management Agency.\nOur results are presented in the Progress Review section.\n\n\n\n\n                                                          7\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n                8\n\x0c       Evaluation of Defense Installation Vulnerability Assessments\n                                                                                               Product 1 of 5\n\nA Crystal Focus Review\n\n\n\n            Issue 1. Definition Changes\n                         The addition of the continental United States (CONUS) as a significant\n                         element to the Global War on Terrorism necessitated changes to DoD\n                         policy and organization. Attempts to establish policy, assign\n                         responsibility, and develop programs were hindered by the lack of\n                         generally accepted terminology to describe underlying concepts.\n\n\n                                                  Discussion\n                         The attacks of September 11, 2001, shifted the focus for prevention of\n                         further terrorist attacks to the homeland, and generated significant\n                         organizational change in the Federal Government. Homeland Security\n                         Presidential Directive No. 8, \xe2\x80\x9cNational Preparedness,\xe2\x80\x9d December 17,\n                         2003, defines all-hazards preparedness and establishes a national\n                         domestic all-hazards preparedness goal. Directive No. 8 equates\n                         preparedness with readiness for the national program. Priorities within\n                         both the National and Defense CIP programs also shifted: although the\n                         security of cyber systems remained important, attention to the protection\n                         of physical assets increased. The two terms used by DoD to define the\n                         primary activities associated with Defense CIP, force protection and\n                         mission assurance, do not encompass all critical assets and potential\n                         threats.\n                         As of February 2005, Joint Publication 1-02, \xe2\x80\x9cThe DoD Dictionary of\n                         Military and Associated Terms,\xe2\x80\x9d (JP 1-02) defined force protection as:\n                                Actions taken to prevent or mitigate hostile actions against\n                                Department of Defense personnel (to include family members),\n                                resources, facilities, and critical information. These actions conserve\n                                the force\xe2\x80\x99s fighting potential so it can be applied at the decisive time\n                                and place and incorporate the coordinated and synchronized\n                                offensive and defensive measures to enable the effective\n                                employment of the joint force while degrading opportunities for the\n                                enemy. Force protection does not include actions to defeat the enemy\n                                or protect against accidents, weather, or disease.\n                         That definition does not address all aspects of CIP. The definition implies\n                         defensive action, is applicable only to DoD assets, and excludes important\n                         categories of threats. Effective CIP requires responsible officials to\n                         identify and protect all assets that allow them to perform essential\n                         missions, not just assets under their control.\n                         In addition, comprehensive force protection should address a greater range\n                         of threats. Directive No. 8 adopts an all-hazards approach, and Defense\n                         CIP policy recognizes all hazards. The impact of multiple hurricanes in\n\n                                                             9\n\x0c       Evaluation of Defense Installation Vulnerability Assessments\n                                                                                               Product 1 of 5\n\nA Crystal Focus Review\n\n\n\n                         Florida and the earthquake and tsunami in the Indian Ocean in 2004\n                         demonstrate the need for the all-hazards approach.\n                         The term mission assurance is not listed in JP 1-02. In draft DoD\n                         Directive 3020.ff, \xe2\x80\x9cDefense Critical Infrastructure Program (DCIP),\xe2\x80\x9d\n                         October 2004, the Office of the Assistant Secretary of Defense for\n                         Homeland Defense proposed to define mission assurance as:\n                                A process to ensure that assigned tasks or duties can be performed in\n                                accordance with the intended purpose or plan. It is a summation of\n                                the activities and measures taken to ensure that required capabilities\n                                and all supporting infrastructures are available to the DoD to carry\n                                out the National Military Strategy. It links numerous risk\n                                management program activities and security related functions\xe2\x80\x94such\n                                as force protection; antiterrorism; critical infrastructure protection;\n                                information assurance; continuity of operations; chemical,\n                                biological, radiological, nuclear, and high-explosive defense;\n                                readiness; and installation preparedness\xe2\x80\x94to create the synergistic\n                                effect required for DoD to mobilize, deploy, support, and sustain\n                                military operations throughout the continuum of operations.\n                         The language of the draft is confusing, describing mission assurance\n                         alternately as an activity leading to readiness and as a necessary state for\n                         successful military operations. It lists readiness as a complementary or\n                         subordinate risk management or security-related function. However, DoD\n                         Directive 5160.54, \xe2\x80\x9cCritical Asset Assurance Program (CAAP),\xe2\x80\x9d January\n                         20, 1998, clearly defines assurance as an activity. The proposed addition\n                         of the term mission, which has its own definition in JP 1-02, adds no value\n                         to the concept of assurance.\n                         Even though the definition of force protection includes personnel,\n                         resources, facilities, and critical information, in general, force protection\n                         activities focus on personnel. For example, DoD Directive 2000.12, \xe2\x80\x9cDoD\n                         Antiterrorism (AT) Program,\xe2\x80\x9d August 18, 2003, states that an explicit goal\n                         of the antiterrorism program is the protection of DoD elements and\n                         personnel. That program is one activity that addresses aspects of force\n                         protection. Also, DoD Instruction 2000.16, \xe2\x80\x9cDoD Antiterrorism\n                         Standards,\xe2\x80\x9d June 14, 2001, specifically limits higher headquarters\n                         vulnerability assessments to installations with \xe2\x80\x9c300 or more personnel on a\n                         daily basis.\xe2\x80\x9d The instruction allows for vulnerability assessments at any\n                         DoD facility if the appropriate commander identifies a need.\n                         Antiterrorism policy should require assessments at facilities that are\n                         deemed critical under CIP standards, regardless of the number of\n                         personnel impacted, to help integrate activities and mitigate risk.\n\n\n\n\n                                                             10\n\x0c       Evaluation of Defense Installation Vulnerability Assessments\n                                                                                         Product 1 of 5\n\nA Crystal Focus Review\n\n\n\n\n                                                  Impact\n                         CIP program managers have been unable to complete coordination and\n                         publication of program policies. The lack of concise or generally accepted\n                         terminology describing concepts and doctrine has caused several\n                         stakeholders to nonconcur with draft directives. Obsolete or missing DoD\n                         policy hindered program implementation and execution, and made funding\n                         difficult to obtain. Clear definitions and concepts will allow for efficient\n                         distribution of program responsibilities and help prevent overlaps and gaps\n                         in protection and assurance activities.\n\n\n                                           Recommendations\n                         We recommended the Assistant Secretary of Defense for Homeland\n                         Defense should:\n                            1. Request that the Director for Operational Plans and Joint Force\n                            Development, Joint Staff amend the term Force Protection in Joint\n                            Publication 1-02, \xe2\x80\x9cThe DoD Dictionary of Military and Associated\n                            Terms,\xe2\x80\x9d by deleting the word force and including an all-hazards\n                            component within that definition to ensure consistency with the intent\n                            of Homeland Security Presidential Directive No. 8.\n                            2. Amend the term mission assurance in DoD Directive 3020.ff,\n                            \xe2\x80\x9cDefense Critical Infrastructure Program (DCIP),\xe2\x80\x9d October 2004, by\n                            deleting the word mission, and refining the definition to include\n                            specific policy considerations as set forth in DoD Directive 5160.54,\n                            \xe2\x80\x9cCritical Asset Assurance Program (CAAP),\xe2\x80\x9d January 20, 1998.\n                            3. Request that the Director for Operational Plans and Joint Force\n                            Development, Joint Staff include the revised assurance definition in\n                            Joint Publication 1-02, \xe2\x80\x9cThe DoD Dictionary of Military and\n                            Associated Terms.\xe2\x80\x9d\n\n\n\n\n                                                          11\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                                   Product 2 of 5\n\nA Crystal Focus Review\n\n\n\n            Issue 2. Program Responsibilities\n                         DoD preparedness concepts, including Defense CIP, were disjointed, and\n                         associated programs were inadequately coordinated.\n\n\n                                                   Discussion\n                         Homeland Security Presidential Directive No. 8, \xe2\x80\x9cNational Preparedness,\xe2\x80\x9d\n                         December 17, 2003, requires a national domestic all-hazards preparedness\n                         goal. Directive No. 8 defines all-hazards preparedness, and equates\n                         preparedness with readiness for the national program.\n                         As of March 2005, Joint Publication 1-02, \xe2\x80\x9cThe DoD Dictionary of\n                         Military and Associated Terms,\xe2\x80\x9d (JP 1-02) defines readiness as:\n                                The ability of US military forces to fight and meet the demands of the\n                                national military strategy. Readiness is the synthesis of two distinct but\n                                interrelated levels. a. unit readiness - The ability to provide capabilities\n                                required by the combatant commanders to execute their assigned\n                                missions. This is derived from the ability of each unit to deliver the\n                                outputs for which it was designed. b. joint readiness - The combatant\n                                commander\xe2\x80\x99s ability to integrate and synchronize ready combat and\n                                support forces to execute his or her assigned missions.\n                         Under this definition, all activities conducted by DoD components, other\n                         than Operations, contributed to readiness. General examples of these\n                         activities include acquisition, staffing, training, and logistical support.\n                         However, the two specific CIP activities contributing to readiness are\n                         protection and assurance.\n                         Protection, which is defined in JP 1-02 as force protection, is an activity\n                         associated with unit readiness. As defined, protection actions are limited\n                         to the protection of DoD assets. Those actions seek to \xe2\x80\x9cpreserve the\n                         force\xe2\x80\x99s fighting potential;\xe2\x80\x9d hence, these actions are generally defensive in\n                         nature. Assurance, defined in DoD Directive 5160.54, \xe2\x80\x9cCritical Asset\n                         Assurance Program (CAAP),\xe2\x80\x9d January 20, 1998, and draft DoD Directive\n                         3020.ff, \xe2\x80\x9cDefense Critical Infrastructure Program (DCIP),\xe2\x80\x9d October 13,\n                         2004, is an activity associated with joint readiness. Assurance actions are\n                         broader, designed to \xe2\x80\x9censure that required capabilities and all supporting\n                         structures are available to the DoD to carry out the National Military\n                         Strategy.\xe2\x80\x9d Protection and assurance activities are complementary, and\n                         both contribute to different facets of readiness.\n                         Civilian directors and military commanders at all levels performed\n                         protection and assurance activities through a variety of programs.\n                         However, responsibility for programs, as well as underlying protection\n\n\n                                                               12\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                                   Product 2 of 5\n\nA Crystal Focus Review\n\n\n\n                         and assurance concepts, was spread across multiple Under and Assistant\n                         Secretaries of Defense, as shown in Table 1.\n                     Table 1. Protection and Assurance Program Responsibility\n\n                          PROGRAM                     RESPONSIBLE OFFICE           COMMENTS\n                          PROTECTION\n                            Antiterrorism                  ASD(SO/LIC)\n                            Chemical, Biological,          ATSD(NCB),              ATSD(NCB) responsible for\n                            Radiological,                  USD(AT&L),              Chemical, Biological, and\n                            Nuclear, and High-             ASD(SO/LIC)             Nuclear policy.\n                            Explosives                                             Responsibility for radiological\n                                                                                   policy divided.\n                                                                                   Department of Defense\n                                                                                   Explosive Safety Board\n                                                                                   published conventional\n                                                                                   explosives standards.\n                                                                                   ASD(SO/LIC) drafting policy\n                                                                                   for emergency response.\n                            Physical Security                USD(I)\n                            Installation              ASD(SO/LIC), ASD(HD),        ASD(SO/LIC) drafting policy.\n                            Preparedness                   USD(AT&L)               ASD(HD) published the\n                                                                                   September 2003 report to\n                                                                                   Congress.\n                                                                                   USD(AT&L) responsible for the\n                                                                                   Joint Service Installation\n                                                                                   Preparedness Pilot and\n                                                                                   Unconventional Nuclear\n                                                                                   Warfare Defense programs.\n                          ASSURANCE\n                            Continuity of                      USD(P)\n                            Operations,\n                            Continuity of\n                            Government\n                            Information                       ASD(NII)\n                            Assurance\n                            Critical Infrastructure           ASD(HD)\n                            Protection\n                          ACRONYM LIST\n                          ASD(NII)          Assistant Secretary of Defense for Network Information and Integration\n                          ASD(SO/LIC)       Assistant Secretary of Defense for Special Operations and Low Intensity\n                                             Conflict\n                          ATSD(NCB)         Assistant to the Secretary of Defense for Nuclear, Chemical, and\n                                             Biological Defense Programs\n                          USD(AT&L)         Under Secretary of Defense for Acquisition, Technology and Logistics\n                          USD(I)            Under Secretary of Defense for Intelligence\n                          USD(P)            Under Secretary of Defense for Policy\n\n\n\n\n                                                               13\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                         Product 2 of 5\n\nA Crystal Focus Review\n\n\n\n                         Prior to September 11, 2001, no significant CONUS threat had been\n                         identified, and DoD focused protection and assurance activities OCONUS.\n                         The increased efforts for homeland security added a geographic element to\n                         the division of protection and assurance responsibilities. As of February\n                         2005, the charter document outlining authorities and assigning\n                         responsibilities to the Office of the ASD(HD) remained in draft.\n                         However, the ASD(HD) defined his responsibility as the defense of \xe2\x80\x9cU.S.\n                         sovereignty, territory, domestic population, and critical infrastructure.\xe2\x80\x9d\n                         Protection and assurance program responsibility was not realigned to\n                         match geographic limitations. ASD(HD) had global responsibility for\n                         Defense CIP, but had no direct responsibility for protection programs in\n                         CONUS. Effective CIP involves the assurance of all assets, both civilian\n                         and military, necessary to project, support, and sustain military forces\n                         worldwide.\n                         The geographic division of responsibility is not unique to protection and\n                         assurance programs. For example, environmental legislation has limited\n                         extraterritorial application. In response, DoD developed effective parallel\n                         policy based on consistent environmental standards for use in CONUS and\n                         OCONUS. However, coordinating this effort was simplified because the\n                         Deputy Under Secretary of Defense for Installations and Environment has\n                         policy responsibility for the entire environmental program.\n\n\n                                                  Impact\n                         Disjointed and overlapping protection and assurance concepts resulted in\n                         inefficient implementation and unclear responsibility for the protection of\n                         assets. Program officials continued to expend time and effort attempting\n                         to agree on definitions, thus delaying the deployment of program\n                         capabilities. The ultimate result was the diffusion of civilian\n                         responsibility and confused authority. Without clear assignment of\n                         responsibilities, asset owners receive conflicting guidance, multiple\n                         assessments of assets, and uncoordinated funding for mitigation efforts.\n\n\n                                           Recommendations\n                         We recommended the Office of the Under Secretary of Defense for Policy\n                         should:\n                         1. Organize Protection and Assurance programs and initiatives under a\n                         common overarching concept to rationalize efforts toward all-hazards\n                         preparedness.\n\n\n\n                                                          14\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                      Product 2 of 5\n\nA Crystal Focus Review\n\n\n\n                         2. Complete DoD Directive 5111.13, \xe2\x80\x9cAssistant Secretary of Defense for\n                         Homeland Defense\xe2\x80\x9d and amend DoD Directive 5111.10, \xe2\x80\x9cAssistant\n                         Secretary of Defense for Special Operations and Low-Intensity Conflict\n                         (ASD(SO/LIC)),\xe2\x80\x9d March 22, 1995, to reflect a geographic division of\n                         responsibility for Protection and Assurance policy and programs.\n                         CONUS, Alaska, Hawaii, and U.S. Territories and Protectorates should be\n                         assigned to the Assistant Secretary of Defense for Homeland Defense, and\n                         OCONUS should be assigned to the Assistant Secretary of Defense for\n                         Special Operations and Low-Intensity Conflict.\n\n\n\n\n                                                         15\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                              Product 3 of 5\n\nA Crystal Focus Review\n\n\n\n            Issue 3. Assessment Standards\n                         As of February 2005, the Defense CIP program did not provide sufficient\n                         deployed capabilities. In addition, prioritizing efforts and applying\n                         program resources were not optimized to address nonwarfighting critical\n                         assets.\n\n\n                                                 Discussion\n                         Draft DoD Directive 3020.ff, \xe2\x80\x9cDefense Critical Infrastructure Program\n                         (DCIP),\xe2\x80\x9d October 13, 2004, defines Defense CIP as \xe2\x80\x9ca risk-based DoD\n                         program that seeks to assure the availability of infrastructures critical to\n                         DoD missions.\xe2\x80\x9d It states that DoD will achieve this goal by identification,\n                         assessment, and security enhancement of assets essential for executing the\n                         National Military Strategy. As of February 2005, comprehensive\n                         assessment standards were incomplete, integrated assessments were not\n                         being performed, and program efforts assessing nonwarfighting assets\n                         were insufficient.\n                         At the request of Defense CIP program officials, the Defense Program\n                         Office for Mission Assurance (DPO-MA) published the \xe2\x80\x9cDefense Critical\n                         Infrastructure Program: Full Spectrum Integrated Vulnerability\n                         Assessment Program Concept of Operations, Version 1.0,\xe2\x80\x9d which states:\n                                This Concept of Operations (CONOPS) addresses the need for a\n                                Defense-wide, comprehensive, integrated, repeatable, and sustainable\n                                vulnerability assessment process in accordance with Defense Critical\n                                Infrastructure Program (DCIP) policy, as stated in draft DoD Directive\n                                (DoDD) 3020.ff. To accomplish this, the document outlines the\n                                functions and processes of the DCIP Full Spectrum Vulnerability\n                                Assessment Program and the organizations within DoD responsible for\n                                establishing and ensuring such assessments.\n                         The document fails to identify the organizations responsible for\n                         conducting vulnerability assessments, stating only that assessment\n                         organizations must coordinate and execute Defense CIP Full Spectrum\n                         Integrated Vulnerability Assessment program requirements in accordance\n                         with this Concept of Operations and other applicable documentation.\n                         In July 2004, DPO-MA published the \xe2\x80\x9cFull Spectrum Integrated\n                         Vulnerability Assessment Program Team Standards, Version 1.0,\xe2\x80\x9d\n                         containing standards in 12 areas of concern. In the scope section, DPO-\n                         MA stated that the standards were applicable to \xe2\x80\x9cthe assessment of all\n                         DoD critical assets, including non-DoD Federally-owned or leased critical\n                         assets and commercial critical assets that support the DoD mission.\xe2\x80\x9d\n\n\n\n                                                             16\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                          Product 3 of 5\n\nA Crystal Focus Review\n\n\n\n                         The document was predominantly a compendium of then-current\n                         standards for assessing DoD assets. For example, the standards for\n                         assessing continuity of operations in the Plans area of concern and outer\n                         perimeter security in the Physical Security area of concern were derived\n                         from current standards applicable to Federal facilities. In two other areas\n                         of concern, Supporting Infrastructure Networks and Availability of\n                         Supporting Material and Services, DPO-MA established standards to\n                         determine vulnerability based on standards applicable to both Federal and\n                         non-Federal facilities. Further, the criteria were not designed to determine\n                         interdependency among critical assets, a vital Defense CIP concept.\n                         Inspectors using the standards as a guide will likely perform CIP\n                         assessments of critical DoD assets identical to and duplicative of other\n                         protection and assurance assessments. Moreover, inspectors will have\n                         difficulty conducting assessments on non-DoD assets because of lack of\n                         ownership and access.\n                         As of March 2005, DPO-MA was still conducting pilot vulnerability\n                         assessments. These tests ran concurrently with Joint Service Integrated\n                         Vulnerability Assessments and Balanced Survivability Assessments, both\n                         conducted by the Defense Threat Reduction Agency as part of the\n                         antiterrorism program. DPO-MA intended the pilot assessments as tests\n                         of Full Spectrum Integrated Vulnerability Assessment protocols. They\n                         focused their efforts on integrating existing assessments and eliminating\n                         overlaps.\n                         DPO-MA conducted 11 assessments in FY 2004 and Defense CIP\n                         program management planned 6 during FY 2005. All assessments were of\n                         DoD-owned facilities. Consequently DPO-MA did not examine critical\n                         National Guard or non-DoD assets. DoD warfighting assets on military\n                         installations were protected to a higher standard and assessed under\n                         multiple protection and assurance programs. The Defense CIP assessment\n                         plan did not address non-DoD assets, the areas of greatest weakness.\n                         Defense CIP program officials accomplished significant progress in\n                         conducting DoD assessments, but applied insufficient attention to the\n                         specified mission of protecting the Defense Industrial Base. Homeland\n                         Security Presidential Directive No. 7 explicitly assigns responsibility to\n                         DoD for protection of the Defense Industrial Base. DoDD 3020.ff assigns\n                         the Defense Contract Management Agency as the lead agency for\n                         protection of the Defense Industrial Base within DoD. As of February\n                         2005, CIP program responsibility within Defense Contract Management\n                         Agency was an additional duty performed at a relatively junior level.\n                         Further, according to senior officials, the Joint Staff assigned low priority\n                         to the protection of nonwarfighting critical assets.\n\n\n\n                                                           17\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                        Product 3 of 5\n\nA Crystal Focus Review\n\n\n\n\n                                                  Impact\n                         The Defense CIP program did not adequately identify and protect\n                         infrastructures deemed critical for national security. Specifically, DoD\xe2\x80\x99s\n                         vulnerability to an event disrupting critical DoD nonwarfighting and non-\n                         DoD assets remained unknown. The mission impacts remain unidentified\n                         as well. More complete assessments are needed to effect appropriate\n                         prioritization and funding.\n                         In addition, program management\xe2\x80\x99s inability to adequately define and\n                         assign assessment responsibilities created duplication of effort and\n                         confusion at installations receiving multiple findings and reports.\n\n\n                                           Recommendations\n                         We recommended the Assistant Secretary of Defense for Homeland\n                         Defense should:\n                            1. Complete Defense CIP assessment standards for non-DoD assets\n                            and unique CIP standards for DoD assets.\n                            2. Integrate Defense CIP assessments that review non-DoD assets\n                            with assessments conducted on DoD assets.\n                            3. Coordinate and fund \xe2\x80\x9cexpert type\xe2\x80\x9d assessments for vital strategic\n                            DoD and non-DoD national assets.\n                            4. Refocus CIP program activities to assure the availability of DoD\n                            nonwarfighting, National Guard, and non-DoD assets critical to DoD\n                            missions.\n\n\n\n\n                                                          18\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                                Product 4 of 5\n\nA Crystal Focus Review\n\n\n\n            Issue 4. Program Roles\n                         Defense CIP program organization was inadequate to achieve desired\n                         homeland defense strategic objectives.\n\n\n                                                  Discussion\n                         Homeland defense objectives relating to Defense CIP are outlined in three\n                         documents. First, Homeland Security Presidential Directive No. 7,\n                         \xe2\x80\x9cCritical Infrastructure Identification, Prioritization, and Protection,\xe2\x80\x9d\n                         December 17, 2003, tasks all Federal departments to \xe2\x80\x9cidentify, prioritize,\n                         and coordinate the protection of critical infrastructure and key resources in\n                         order to prevent, deter, and mitigate the effects of deliberate efforts to\n                         destroy, incapacitate, or exploit them.\xe2\x80\x9d Second, draft DoD Directive\n                         3020.ff states program objectives which include:\n                                The identification, prioritization, assessment, and assurance of Defense\n                                Critical Infrastructures \xe2\x80\xa6 managed as a comprehensive program that\n                                includes the development of adaptive plans and procedures to: mitigate\n                                risk, restore capability in the event of loss or degradation, support\n                                incident management, and protect related information.\n                         DoD Directive 3020.ff also defines critical infrastructures to include\n                         essential DoD and non-DoD assets worldwide. Third, in \xe2\x80\x9cDoD Strategy\n                         for Homeland Defense and Civil Support (Coordinating Draft),\xe2\x80\x9d\n                         September 13, 2004, the ASD(HD) listed DoD objectives and core\n                         capabilities for protecting the U.S. from attack. According to this strategy,\n                         an effective Defense CIP program must \xe2\x80\x9cimplement a protective risk\n                         management strategy for defense critical infrastructure\xe2\x80\x9d and \xe2\x80\x9cconduct\n                         protection operations for designated national critical infrastructure.\xe2\x80\x9d Once\n                         fully capable, the Defense CIP program will contribute to the objective of\n                         providing mission assurance.\n                         The Director of Defense CIP has program responsibility within the office\n                         of the ASD(HD). The Director is responsible for developing and\n                         overseeing implementation of policy for worldwide identification,\n                         prioritization, assessment, remediation, and protection of critical\n                         infrastructure. However, the ASD(HD) area of responsibility was limited\n                         to the United States, Territories, and the approaches. Prior to the\n                         establishment of the Homeland Defense office, the Assistant Secretary of\n                         Defense for Special Operations and Low-Intensity Conflict was\n                         responsible for policy and advice on the use of U.S. Government resources\n                         in counterterrorism and antiterrorism. The responsibility of the Assistant\n                         Secretary of Defense for Special Operations and Low-Intensity Conflict\n                         was not geographically limited. Reaching consensus on the division of\n\n\n                                                             19\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                           Product 4 of 5\n\nA Crystal Focus Review\n\n\n\n                         responsibilities took time and absorbed effort that management could have\n                         applied to developing program capabilities.\n                         As of February 2005, Defense CIP program officials were using the\n                         Defense Program Office for Mission Assurance for a wide variety of\n                         program management tasks. However, in October 2004, program officials\n                         proposed realigning Defense Program Office for Mission Assurance\n                         support and reducing staffing from 219 to 117 positions. The same\n                         proposal recommended supporting each of the 10 Defense sectors\n                         identified in DoD Directive 3020.ff with 3 full-time staff, a significant\n                         improvement. For example, as of September 2004, the Defense CIP\n                         working group responsible for the Defense Industrial Base identified over\n                         1000 important and over 150 critical facilities, excluding overseas\n                         installations. The sector lead agency, the Defense Contract Management\n                         Agency, managed its own program using one GS-14 taken from existing\n                         staff.\n                         The system for conducting assessments to identify vulnerabilities,\n                         prioritize impacts, and coordinate mitigation was in the initial phases of\n                         development. Assessment standards and protocols, databases and tracking\n                         tools, and mitigation activity prioritization were all in draft or test phase.\n                         Defense CIP program officials understood the need for a coordinated\n                         effort among protection and assurance programs involving multiple Under\n                         and Assistant Secretaries of Defense. However, their efforts to coordinate\n                         multiple programs detracted from the development of fundamental\n                         program structure.\n                         Efficient accomplishment of homeland defense strategic objectives\n                         required coordination between protection and assurance programs.\n                         Coordination should culminate in systems that ensure consolidated,\n                         analyzed assessment information for all stakeholders. Different\n                         assessment groups need to use a common data set representing the facility\n                         or installation and apply an integrated, relevant threat picture. Using\n                         common baselines would encourage comparable results from different\n                         groups and minimize duplication and repetition.\n\n\n                                                   Impact\n                         Inadequate program structure resulted in inefficient application of\n                         resources, gaps in analysis, and unnecessary disruption at installations.\n                         Responsible offices need to retain some control of dedicated resources.\n                         However, fragmented protection and assurance efforts did not facilitate the\n                         application of a strategic vision that balanced all areas of program\n                         responsibility. Disjointed efforts led to insufficient review of\n\n\n                                                           20\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                           Product 4 of 5\n\nA Crystal Focus Review\n\n\n\n                         nonwarfighting assets under DoD responsibility and potential gaps in the\n                         analysis of national level assets and DoD-wide systems. Finally, the lack\n                         of a single program office or activity responsible for establishing standards\n                         and coordinating worldwide assessments created duplication and the\n                         perception of conflicts at installations. Installation representatives stated\n                         they received multiple assessments, often reviewing the same functional\n                         areas and systems, with many assessments producing repeat findings and\n                         inconsistent results (same system or function, different findings).\n                         Assigning a field activity to coordinate and track various protection and\n                         assurance efforts would permit more efficient execution of protection and\n                         assurance programs.\n\n\n                                            Recommendations\n                         1. We recommended the Assistant Secretary of Defense for Homeland\n                         Defense should establish a field activity responsible for implementing and\n                         monitoring Department protection and assurance programs. The field\n                         activity should have the following primary responsibilities:\n                                a. develop, validate, and accredit assessment and training\n                         standards for assessors;\n                                b. standardize, consolidate, and archive facility infrastructure and\n                         vulnerability assessment data;\n                                c. identify protection and assurance issues with broad impacts\n                         across nonwarfighting assets or DoD-wide applicability; and\n                                d. obtain, integrate, and share relevant threat data with assessing\n                         organizations.\n                         2. The Assistant Secretary of Defense for Homeland Defense should\n                         publish policy that assigns responsibility to:\n                                a. conduct Defense Critical Infrastructure Protection program\n                         vulnerability assessments,\n                                  b. standardize definitions and criteria for determining asset\n                         criticality; and\n                                c. develop quantifiable program metrics.\n\n\n\n\n                                                           21\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                         Product 5 of 5\n\nA Crystal Focus Review\n\n\n\n            Issue 5. Program Funding\n                         Defense CIP planning and programming was inadequate to reduce critical\n                         vulnerabilities.\n\n\n                                                Discussion\n                         The realignment of Defense CIP oversight to the ASD(HD) did not\n                         resolve issues relating to programmatic funding. Officials responsible for\n                         implementing Defense CIP programs at command levels cited the lack of\n                         established policy addressing program and mitigation funding as a\n                         significant concern.\n                         In 2002, the Defense Science Board Summer Study on Special Operations\n                         and Joint Forces in Support of Countering Terrorism recommended an\n                         \xe2\x80\x9cincrease tenfold (over three years) [of] the people and resources devoted\n                         to assessing vulnerabilities of our DoD force protection capabilities and\n                         critical infrastructure.\xe2\x80\x9d In the report, the Defense Science Board estimated\n                         assessment costs in excess of $100 million, and further estimated $150\n                         million yearly requirement to redress vulnerabilities. The report also\n                         recommended that DoD establish a separate funding line for assessment\n                         and mitigation funding.\n                         Prior to FY 2005, Defense CIP program funding was split between the\n                         ASD(HD) and the Joint Program Office (later the Defense Program\n                         Office) for Mission Assurance under the Department of the Navy. Budget\n                         authority for the FY 2005 Defense CIP program was consolidated under\n                         the ASD(HD) in two program elements: OSD Operations and\n                         Maintenance ($18 million), and CIP Research, Development, Testing,\n                         Evaluation ($22 million). Program officials stated that their priority for\n                         FY 2005 was the establishment of Defense CIP offices in combatant\n                         commands and Defense sectors, and that an additional $9 million was\n                         potentially available. However, budgeted amounts were well short of\n                         Defense Science Board recommendations.\n                         Commands expressed frustration that Defense CIP emphasized the\n                         assessment concept without the concomitant emphasis on mitigating the\n                         vulnerabilities the assessments identified. Command and installation\n                         requests for Defense CIP mitigation funds competed with all other\n                         requirements through the regular Planning, Programming, Budgeting, and\n                         Execution (PPBE) process. As of February 2005, the Office of the\n                         ASD(HD) was not involved in mitigation funding or the disbursement of\n                         funds for that purpose, but representatives anticipated an increased role\n                         beginning with the FY 2007 budget.\n\n\n                                                          22\n\x0c     Evaluation of Defense Installation Vulnerability Assessments\n                                                                                           Product 5 of 5\n\nA Crystal Focus Review\n\n\n\n                         The Combating Terrorism Readiness Initiatives Fund of the Antiterrorism\n                         program allows the Joint Staff to fund force protection mitigation against\n                         emerging threats. This program provides an example of efficient targeting\n                         of funds to prioritized projects. As of February 2005, the Defense CIP\n                         program had no comparable process, and commanders were not afforded\n                         access to Combating Terrorism Readiness Initiatives Funds to mitigate\n                         vulnerabilities unique to Defense CIP. Command representatives with\n                         responsibility for Defense CIP stated that programmatic inclusion in the\n                         PPBE system was necessary for continued program development.\n\n\n                                                   Impact\n                         A lack of stable funding for the Defense CIP program contributed to\n                         problems with program implementation throughout the combatant\n                         commands and Defense sectors. It was detrimental to long-term planning\n                         for vulnerability assessments. In addition, insufficient resources for\n                         mitigation of identified vulnerabilities led to frustration at installations.\n                         Defense CIP assessments highlighted problems, making commanders\n                         aware of weaknesses without providing a ready means for relief.\n                         Decentralized funding without centralized prioritization and oversight\n                         discouraged effective mitigation efforts. Determining which assets were\n                         critical depended on mission requirements that varied with level of\n                         command. Thus, a mitigation effort to protect an asset critical to a\n                         combatant commander could receive a low priority from an installation\n                         commander. Vulnerabilities that remained uncorrected increased the risk\n                         to mission assurance.\n\n\n                                            Recommendations\n                         We recommended the Assistant Secretary of Defense for Homeland\n                         Defense should:\n                            1. Establish the Critical Infrastructure Protection program in the\n                               planning, programming, budgeting, and execution system and\n                               control and coordinate program implementation funding.\n                            2. Advocate for mitigation funding from a consolidated, prioritized\n                               database of risk-based vulnerabilities identified through a\n                               coordinated assessment process.\n\n\n\n\n                                                           23\n\x0cEvaluation Response to Management\nComments\n     ASD(HD) concurred with the majority of our recommendations. We discuss specific\n     instances of disagreement and potential impacts below. The following is a summary of\n     the management comments and the OIG response. Full management comments can be\n     found in Appendix B.\n\nIssue 1. Definition Changes\n     ASD(HD) disagreed with our recommendation to shorten mission assurance to assurance\n     and force protection to protection, but agreed with the need to include program\n     definitions in the Joint Dictionary of Military and Associated Terms. The intent of the\n     recommendation was to simplify and clarify fundamental concepts used to assign\n     responsibility, establish policy, and define requirements. Management choosing not to\n     support the change had no substantial impact on the Defense CIP program.\n\nIssue 2. Program Responsibilities\n     ASD(HD) supported our recommendation to organize protection and assurance concepts\n     under a common overarching concept. However, management chose to use the term\n     preparedness instead of readiness. We proposed readiness specifically because it\n     represented the military term best matching preparedness. Management\xe2\x80\x99s choice of\n     preparedness, the term used in national policy, is acceptable. Also, ASD(HD) did not\n     agree with our recommendation to divide responsibility for protection and assurance\n     policy based on geographic areas of responsibility. We concur with management\xe2\x80\x99s\n     analysis. The Under Secretary of Defense for Policy adjusted responsibilities between\n     ASD(HD) and the Assistant Secretary of Defense for Special Operations and Low-\n     Intensity Conflict. However, officials need to codify their agreements in policy.\n\nIssue 3. Assessment Standards\n     ASD(HD) disagreed with our recommendation to integrate Defense CIP assessments with\n     Joint Staff Integrated Vulnerability Assessments. We concur with their analysis, which is\n     based on a series of jointly conducted pilot assessments. Ensuring effective and\n     comprehensive CIP assessments takes precedence over efficiency gains through\n     integration with existing assessment programs.\n\n\n\n\n                                            24\n\x0cProgress Review\n     We conducted a progress review from October through November 2005 to ascertain\n     significant program changes and determine the impacts of our recommendations. Since\n     our briefing to the ASD(HD) in February 2005, the office of the ASD(HD) further\n     developed and improved many aspects of the Defense CIP program. The ASD(HD)\n     published two important documents: \xe2\x80\x9cStrategy for Homeland Defense and Civil\n     Support,\xe2\x80\x9d June 2005, and DoD Directive 3020.40, \xe2\x80\x9cDefense Critical Infrastructure\n     Program (DCIP),\xe2\x80\x9d August 19, 2005.\n\nResults\n     As of November 2005, the Office of the Assistant Secretary of Defense for Homeland\n     Defense had improved many aspects of the Defense Critical Infrastructure Protection\n     program. They published program policy, developed program standards, took steps to\n     establish a Defense Field Agency, and improved controls for program funding. Much\n     remains to be done as the program matures and continues to change in response to current\n     events. The remaining paragraphs of this section document executed and planned actions\n     and events organized to match our observations and recommendations.\n\nIssue 1. Definitions\n     The Joint Staff J3, Deputy Director for Antiterrorism and Homeland Defense proposed\n     changing the definition of force protection to include all hazards, in line with our\n     recommendation. The Director, Defense CIP appropriately amended the definition of\n     \xe2\x80\x9cmission assurance\xe2\x80\x9d and included it, along with other definitions, in DoD Directive\n     3020.40. As of November 2005, the definitions contained in DoD Directive 3020.40\n     were not included in Joint Publication 1-02, \xe2\x80\x9cThe DoD Dictionary of Military and\n     Associated Terms,\xe2\x80\x9d (JP 1-02). Defense CIP officials agreed that the definitions should be\n     included in JP 1-02 and that they would send the new definitions to the appropriate office\n     in the Joint Staff.\n\nIssue 2. Program Responsibilities\n     Prior to our review, program officials disagreed about primacy between the concepts of\n     force protection and mission assurance. Antiterrorism program officials endorsed\n     mission assurance as subordinate to force protection, while Defense CIP officials\n     supported the opposite. ASD(HD) officials stated that our recommendation of equal\n     importance under readiness generated positive discussion and was partially adopted. As\n     of November 2005, Defense CIP program officials stated that they considered\n     preparedness as the concept overarching mission assurance and force protection.\n     However, representatives from the Joint Staff considered mission assurance an end state\n     to be achieved through force protection, continuity of operations, and critical\n     infrastructure protection. The lack of agreement demonstrates a need for additional work\n     to unify the theory behind the programs.\n\n\n\n                                             25\n\x0c    Responsibility for programs, including Defense CIP, Information Assurance,\n    Antiterrorism, Physical Security, and others, remained spread across multiple offices in\n    the Office of the Secretary of Defense. Another remaining concern was the lack of an\n    individual with assigned responsibility for the overall mission assurance and force\n    protection constructs. However, acceptance of mission assurance as a complementary\n    concept to force protection was increasing. Mission assurance was defined in DoD\n    Directive 3020.40, stated as 1 of 12 objectives of the Strategy for Homeland Defense and\n    Civil Support, and included as an action item in the Acting Deputy Secretary of Defense\n    memorandum, \xe2\x80\x9cImplementation of the Strategy for Homeland Defense and Civil\n    Support,\xe2\x80\x9d dated June 24, 2005.\n    Based on the stated mission of the ASD(HD), we recommended a geographic division of\n    program responsibilities. The Director, Defense CIP believed that program\n    responsibilities were better allocated by function than by geography due to the seamless\n    nature of networks and the idea that capabilities should not be bounded by geography.\n    According to ASD(HD) officials, the limitations on military responses to Hurricane\n    Katrina coupled with the military\xe2\x80\x99s response to the earthquake disaster in Karachi,\n    Pakistan have raised questions about expanding the DoD\xe2\x80\x99s civil support role. These\n    missions imply changing responsibilities for the ASD(HD) and renders our\n    recommendation as stated inapplicable. As of November 2005, DoD Directive 5111.13,\n    \xe2\x80\x9cAssistant Secretary of Defense for Homeland Defense,\xe2\x80\x9d was not published. However,\n    senior officials continued to realign program responsibilities within the Office of the\n    Under Secretary of Defense for Policy, attempting to reduce gaps and overlaps. The\n    Under Secretary of Defense for Policy should clearly divide responsibilities between the\n    ASD(HD) and the Assistant Secretary of Defense for Special Operations and Low-\n    Intensity Conflict in their charter directives.\n\nIssue 3. Assessment Standards\n    All parties interviewed acknowledged the need for consistent standards. Defense CIP\n    officials explained that they used the results of two initiatives to refine proposed\n    standards. Representatives from the program office conducted a series of six pilot\n    assessments in conjunction with Joint Staff Integrated Vulnerability Assessments\n    (JSIVAs) performed by the Defense Threat Reduction Agency. They also worked with\n    the Joint Staff to create a Defense CIP module used by assessors. Defense CIP program\n    officials concluded from the second effort that the mission assurance and all-hazards\n    focus of Defense CIP will likely preclude full integration into the force protection and\n    antiterrorism JSIVA. In addition, the JSIVA remained focused on active duty\n    warfighting assets. These conclusions reinforce our recommendations.\n    Defense CIP program officials stated they anticipated signature of interim guidance by\n    the ASD(HD) in December 2005, with publication of a DoD Instruction within 180 days.\n    The interim guidance document combined basic threat, vulnerability, and criticality\n    standards into one document, applicable to all assets critical to DoD missions.\n    Representatives from both the Joint Staff and DCMA stressed the importance of finalized\n    standards for continued program progress.\n    Our review identified a lack of program emphasis on DoD nonwarfighting, National\n    Guard, and non-DoD assets deemed critical to DoD missions. The National Guard\n\n\n                                            26\n\x0c    conducted JSIVAs of Guard-owned assets by using the Defense CIP module, and\n    according to the Defense CIP Deputy Director for Operations, was prepared to\n    incorporate new Defense CIP standards. The Defense Contract Management Agency, as\n    the sector lead for the Defense Industrial Base, had several ongoing initiatives. It\n    developed and used three Defense CIP related models: criticality determination, asset\n    prioritization, and the risk of industrial failure. DCMA also drafted a Memorandum of\n    Agreement to conduct Defense CIP assessments of non-DoD critical assets in the United\n    States. As part of the non-DoD asset assessment effort, ASD(HD) worked with the\n    National Guard to complete interstate compacts allowing trained teams to perform work\n    outside of their home States. All responsible parties demonstrated significant progress,\n    but non-DoD critical assets located outside the United States remained an issue.\n\nIssue 4. Program Roles\n    The Principal Deputy Under Secretary of Defense for Policy approved the establishment\n    of a field activity that will combine program management for Continuity of Operations,\n    Continuity of Government, and Defense CIP. ASD(HD) planned to provide the field\n    activity with authorization for 90 full-time equivalents: 60 for Continuity of Operations\n    and Continuity of Government, and 30 for Defense CIP. It planned to staff the\n    authorizations through transfer of 60 spaces from the Defense Logistics Agency and 30\n    spaces from the Defense Program Office for Mission Assurance. The field activity will\n    count against the Washington Headquarters Services staffing allotment. The ASD(HD)\n    Comptroller verified that he was programming for the field activity. This action is a good\n    first step toward consolidating scattered mission assurance and force protection program\n    efforts.\n\nIssue 5. Program Funding\n    ASD(HD) actively pursued program implementation funding and established controls for\n    its use. Defense CIP program funding for FYs 2004 through 2007 was allocated from the\n    Office of the Comptroller to the ASD(HD) within the Program Operating Memorandum\n    in a discrete program element. ASD(HD) planned to directly control and suballocate\n    program budget authority for FYs 2006 and 2007. For FY 2006, the ASD(HD)\n    Comptroller provided the Joint Staff, Defense sectors, and their own staff element with\n    budget targets, and established a prioritized unfunded requirements list based on\n    submissions. As of November 2005, they were prepared to write the program statement\n    of work following congressional approval of the authorization bill.\n    ASD(HD) planned to decentralize Defense CIP execution to the Services while retaining\n    advocacy of the Defense CIP program element. ASD(HD) stated that starting with the\n    FY 2008 budget, it would require Service Program Element Managers to ensure funds are\n    budgeted and executed to satisfy Defense CIP requirements outlined in DoD Directive\n    3020.40. ASD(HD) planned to distribute approximately 60 percent of the Defense CIP\n    funding to combatant commands and Services and maintain control of 30 to 40 percent\n    for running the field activity and 10 percent for new initiatives. ASD(HD) understood its\n    responsibility for ensuring the Services adequately fund the program element.\n\n\n\n\n                                            27\n\x0cDefense CIP stakeholders within DoD provided input and were kept informed of fiscal\ndecisions through the governance council. The primary charter of the council was to\ndetermine program funding priorities. The council comprised 10 individuals, as shown in\nTable 2. The Joint Staff J34              Table 2. Defense CIP Governance Council\n\nrepresentative stated that he acted as an  1          Director, Defense CIP - USD(P)\nadvocate for the combatant commands        2          Principal   Staff Assistant - USD(AT&L)\n                                           3          Principal Staff Assistant - USD(I)\nand Services.                              4          Principal Staff Assistant - USD(C)/CFO\nMitigating identified vulnerabilities       5      Principal Staff Assistant - USD(P&R)\nremained an installation or Service issue.  6      JCS - J34\n                                            7      Mil Dep Representative - Army\nASD(HD) representatives planned to          8      Mil Dep Representative - Navy\noversee the prioritization and tracking of 9       Mil Dep Representative - Air Force\nDefense CIP requirements through Joint      10     DCMA - DIB Defense Sector Rep\nMonthly Reviews and Joint Quarterly\nReviews. ASD(HD) officials decided not to establish a Defense CIP fund for mitigation\nsimilar to the antiterrorism program\xe2\x80\x99s Combating Terrorism Readiness Initiatives Fund.\nThey concluded that consolidating mitigation funds outside the Services would result in\nthe Services reallocating an equivalent amount away from mitigation during their budget\nprocess.\n\n\n\n\n                                         28\n\x0cAppendix A \xe2\x80\x93 Methodology\nCrystal Focus Process\n     Crystal Focus is an independent and objective inspection or evaluation of a key DoD-\n     wide program or process. The Crystal Focus process provides a transparent yet focused\n     evaluation of DoD issues. Normally, senior leadership requests these evaluations. We\n     seek requestor input to develop objectives and to tailor product formats to best convey\n     our findings. Crystal Focus products highlight the most significant issues and provide\n     timely recommendations for senior leadership action. We conduct the reviews in\n     accordance with criteria in the \xe2\x80\x9cQuality Standards for Inspections\xe2\x80\x9d published by the\n     President\xe2\x80\x99s Council on Integrity and Efficiency in January 2005. The project team\n     performs follow-up on all recommendations resulting from a Crystal Focus project,\n     normally 12 and 18 months after the project is completed. Prior to publishing the report,\n     the Crystal Focus team briefs the results, observations, and recommendations to senior\n     officials of the DoD Office of the Inspector General (IG); DoD senior management; the\n     requestor of the review, and appropriate program managers. We provide program\n     managers with the opportunity for formal comment and include their verbatim comments\n     in the final report.\n\nScope\n     We reviewed the Defense CIP program. Specifically, we evaluated policy, organization,\n     roles and responsibilities, and funding from two broad perspectives: (1) the effectiveness\n     of program policy and structure, and (2) the value and impact of vulnerability\n     assessments on installations.\n     We reviewed program policy and organization of the program at ASD(HD), and the\n     impacts of policy decisions with the Office of the Assistant Secretary of Defense for\n     Special Operations and Low-Intensity Conflict. We evaluated program roles,\n     responsibilities, and funding in the Office of the ASD(HD), the Defense Program Office\n     for Mission Assurance, the Joint Staff, the Defense Threat Reduction Agency, and the\n     Defense Contract Management Agency. We also reviewed the program impact, funding,\n     and structure at U.S. Northern Command, U.S. European Command, and U.S. Pacific\n     Command.\n     We performed this evaluation from June 2004 through November 2005, in accordance\n     with the standards established by the President\xe2\x80\x99s Council on Integrity and Efficiency in\n     the publication \xe2\x80\x9cQuality Standards for Inspections,\xe2\x80\x9d March 1993 and the subsequent\n     January 2005 update.\n\nLimitations\n     We limited our review in three significant aspects. First, the ASD(HD) defined Defense\n     Critical Infrastructure as \xe2\x80\x9cDoD and non-DoD cyber and physical assets and associated\n     infrastructure essential to project and support military forces worldwide.\xe2\x80\x9d We did not\n     evaluate cyber security policies for electronic network attack; we limited our review to\n\n\n                                             29\n\x0c    the physical aspects of network protection. Second, we did not contact nongovernmental\n    organizations and contractors that own Defense Industrial Base assets identified as\n    critical, due to time and resource constraints. Finally, we limited our evaluation to the\n    Office of the Secretary of Defense, the Joint Staff, Unified Commands, and Defense\n    Agencies because of limited program maturity and undefined impact on installations at\n    the time of the review.\n\nWork Performed\n    We conducted the evaluation as an early implementation review, with the goal of\n    identifying vulnerabilities and successes and providing recommendations for\n    improvement to a developing program. We focused on policy development, program\n    organization, and implementation at higher headquarters. From June 2004 through\n    February 2005, the team performed the following steps.\n       \xe2\x80\xa2 We reviewed public law and Executive and Defense Department policy,\n       regulations, and directives governing the Defense CIP program.\n       \xe2\x80\xa2 We reviewed relevant reviews, audits, evaluations, inspections, and studies from\n       the past 5 years associated with the program. Sources used included the Government\n       Accountability Office, the Defense Science Board, and the DoD Inspector General.\n       \xe2\x80\xa2 We conducted interviews with senior OSD and program officials and visited the\n       following organizations:\n           Assistant Secretary of Defense for Homeland Defense\n                Defense Program Office for Mission Assurance\n                Critical Infrastructure Program Integration Staff\n           Assistant Secretary of Defense for Special Operations and Low-Intensity Conflict\n           The Joint Staff\n                Combating Terrorism Directorate (J34)\n                Strategy and Policy Directorate (J5)\n           U.S. Northern Command\n           U.S. Pacific Command\n           U.S. European Command\n           Defense Threat Reduction Agency\n           Defense Contract Management Agency\n       \xe2\x80\xa2   We analyzed current and draft DoD policy and guidance.\n       \xe2\x80\xa2 We discussed our results with program management prior to briefing our\n       conclusions to the ASD(HD) in February 2005. We subsequently provided a series of\n       \xe2\x80\x9cObservations\xe2\x80\x9d documenting the details and logic supporting our conclusions.\n    In October and November 2005, we conducted a follow-on review to document program\n    improvement and determine outcomes based on our recommendations. The results of\n    this review are shown on pages 24 through 27.\n\n\n\n\n                                            30\n\x0cAppendix B \xe2\x80\x93 Briefing to the Assistant\nSecretary of Defense for Homeland Defense\n                                       Evaluation of\n                               Defense Installation\n                         Vulnerability Assessments\n                                        Project D2004-DIP0E2-0157\n\n\n\n\n Office of the Inspector General, Department of Defense\n                 Inspections and Policy\n\n\n  Inspections & Evaluations Directorate\n\n\n                         Brief to\n                Hon. Paul McHale\n             Assistant Secretary of Defense\n                 for Homeland Defense\n                    February 17, 2005\n\n\n\n\n                 George Marquardt\n                    www.dodig.osd.mil\n\n\n\n 2/17/2005                                                     1\n\n\n\n\n                               31\n\x0c                      CIP Related Policy\n                     Response to GWOT\n          GLOBAL WAR ON TERRORISM (GWOT)\n  Early events such as the Khobar Towers and USS Cole\n  bombings generated minor changes to organization and\n  doctrine. The attacks of Sep 2001 shifted the focus to the\n  Homeland and caused significant changes.\n\n                            NATIONAL\n  Oct 2001 \xe2\x80\x93 EO13231 \xe2\x80\x9cCritical Infrastructure in the\n  Information Age\xe2\x80\x9d\n  Oct 2001 - PL 107-56 US Patriot Act (includes the Critical\n  Infrastructure Protection Act, 42 USC 5195c)\n  Nov 2002 - PL 107-296 Homeland Security Act\n  (established the Department of Homeland Security)\n  Feb 2003 - \xe2\x80\x9cNational Strategy for the Physical Protection\n  of Critical Infrastructure and Key Assets\xe2\x80\x9d\n  Dec 2003 \xe2\x80\x93 HSPD-7 \xe2\x80\x9cCritical Infrastructure Identification,\n  Prioritization, and Protection\xe2\x80\x9d (one of a series of 12 policy\n  directives published between Oct 2001 \xe2\x80\x93 Aug 2004)\n\n               DEPARTMENT OF DEFENSE\n  Oct 2002 \xe2\x80\x93 Change to Unified Command Plan (established\n  NORTHCOM)\n  Feb 2003 \xe2\x80\x93 Office of the Assistant Secretary of Defense\n  for Homeland Defense established\n2/17/2005                                                         2\n\n\n\n\n                              32\n\x0c                                 Doctrinal Construct\n\n                           NATIONAL\n  The goal of the program is NATIONAL PREPAREDNESS,\n  where \xe2\x80\x9call-hazards preparedness\xe2\x80\x9d is defined as the\n  existence of plans, procedures, policies, training, and\n  equipment necessary at the Federal, State, and local level\n  to maximize the ability to prevent, respond to, and recover\n  from domestic terrorist attacks, major disasters, and other\n  emergencies.\n  (Homeland Security Presidential Directive 8, \xe2\x80\x9cNational Preparedness,\xe2\x80\x9d December 17,\n  2003).\n\n\n                  DEPARTMENT OF DEFENSE\n  The defense equivalent is READINESS, defined as the\n  ability of US military forces to fight and meet the demands\n  of the national military strategy. It is the synthesis of two\n  distinct but interrelated levels:\n  UNIT READINESS is the ability to provide Combatant\n  Commanders with units capable of delivering designed\n  outputs to execute assigned missions.\n  JOINT READINESS is the Combatant Commanders\xe2\x80\x99\n  ability to integrate and synchronize forces to execute\n  assigned missions.\n  (Definition from Joint Publication 1-02, \xe2\x80\x9cThe DoD Dictionary of Military and Associated\n  Terms,\xe2\x80\x9d as of February 2005)\n\n\n2/17/2005                                                                                   3\n\n\n\n\n                                           33\n\x0c                                   DoD Doctrinal\n                                      Construct\n  UNIT READINESS is a commander\xe2\x80\x99s responsibility and a\n  Service-centric mission. One of the activities that allow\n  Services to ensure readiness is (Force) PROTECTION.\n\n  (Force) PROTECTION is action taken to prevent or\n  mitigate hostile actions against DoD personnel,\n  resources, facilities, and critical information. This does\n  not include actions to defeat an enemy or protect against\n  accidents, weather, or disease (JP 1-02).\n\n  As defined, PROTECTION is primarily a defensive\n  activity, applicable only to DoD assets, and limited to\n  human threats.\n\n  JOINT READINESS is primarily a joint mission. One of\n  the activities that allow Combatant Commanders to\n  ensure readiness is (Mission) ASSURANCE.\n\n  (Mission) ASSURANCE is a process to ensure that\n  assigned tasks or duties can be performed in accordance\n  with the intended purpose or plan (DoDD 3020.ff draft).\n\n  As defined, ASSURANCE is an external activity,\n  applicable to any resource potentially impacting planned\n  missions, and encompassing all hazards.\n\n2/17/2005                                                      4\n\n\n\n\n                              34\n\x0c                              DoD Organization\n\n  Program responsibilities associated with PROTECTION\n  and ASSURANCE are spread across multiple Under,\n  Deputy, and Assistant Secretaries.\n  AT                ASD(SO/LIC)                DoDD 2000.12\n  CBRNE             USD(AT&L)                  DoDI 6055.x 1\n  COOP/COG            USD(P)                   DoDD 3020.26\n  CIP                ASD(HD)                   DoDD 5160.54 2\n  IA                 ASD(NII)                  DoDD 8500.1\n  Installation Prep ASD(SO/LIC)                DoDI 2000.18 3\n  Physical Security   USD(I)                   DoDD 5200.8\n  1  ATSD(NCB) has primary responsibility for CBN (DoDD 5134.8). Various\n  Instructions in the 6055 series for Radiological and High Explosives.\n   2 Draft DoDD 3020.ff developed by ASD(HD).\n\n   3 DoDI 2000.18 established guidelines for CBRNE emergency response.\n\n  However, this may be outside ASD(SO/LIC) charter responsibilities (DoDD\n  5111.10).\n\n\n  OBSERVATION: Because doctrine and organization\n  changes necessitated by the GWOT are incomplete, DoD\n  PROTECTION and ASSURANCE concepts are disjointed\n  and associated programs are poorly coordinated,\n  resulting in inefficient implementation and less than\n  optimal funding.\n\n2/17/2005                                                                   5\n\n\n\n\n                                   35\n\x0c                                    Impact on CIP\n\n  The evolution of doctrine and the failure to update\n  definitions and organizational responsibilities result in five\n  points of programmatic stress for the Defense Critical\n  Infrastructure Program:\n              Asset Location - CONUS / OCONUS\n               Asset Ownership - DoD / Non-DoD\n    Program Nexus \xe2\x80\x93 COCOMS / Service / Defense Sectors\n       Program Participation \xe2\x80\x93 Title 5 / Title 10 / Title 32\n           Threats Addressed - Terrorism / All-Hazard\n\n            DOD RESPONSIBILITIES BY LOCATION\n\n\n\n\n2/17/2005                                                          6\n\n\n\n\n                               36\n\x0c                           Desired Endstate\n\n  PROGRAM GOALS (DoDD 3020.ff - draft) :\n  Defense Critical Infrastructure is available as required.\n  The identification, prioritization, assessment, and\n  assurance of Defense Critical Infrastructure is managed\n  as a comprehensive program.\n  Vulnerabilities found in Defense Critical Infrastructure are\n  remediated or mitigated based on risk.\n  DCIP will complement other DoD programs and efforts\n\n  MANAGEMENT ACTIONS: To effectively accomplish CIP\n  program goals, management must ensure that:\n  1. Concepts are tightly defined and integrate with broader\n  governing doctrine.\n  2. Program responsibilities are established in policy, and\n  existing policy and authority is modified as necessary.\n  3. Priority for program efforts build on existing programs\n  (fill in gaps) and minimize duplication of effort (overlaps).\n  4. Responsibilities are assigned within the program to\n  reflect program focus and achieve program goals.\n  5. Stakeholders support or at a minimum acquiesce to the\n  program philosophy and goals.\n  6. A mechanism is developed to ensure identified\n  vulnerabilities receive sufficient consideration for funding.\n2/17/2005                                                        7\n\n\n\n\n                              37\n\x0c                                  Actions Taken\n\n  1. Concepts\n     a. ensured program inclusion in ASD(HD) strategy and\n  drafted program integrated risk management strategy.\n     b. conducted serious efforts toward establishing\n  common program definitions and strategic concepts.\n\n  2. Policy:\n     a. worked toward publication of DoDD 5111.13.\n     b. DoDD 3020.ff in final coordination at USD(P).\n     c. pursued reorganization of USD(P) responsibilities.\n\n  3. Focus - recognized opportunity for and pursued\n  systemic solutions, conducted a gap analysis, and\n  remained sensitive to assessment impacts on commands.\n\n  4. Responsibilities:\n     a. increased effectiveness of DoD CIP organization.\n     b. developed methodology for Mission Area Analysis.\n     c. recognized issues with DPO-MA responsibilities.\n\n  5. Stakeholders - included DoD players through routine\n  coordination and expanded CIPIS, and recognized and\n  assigned DIB responsibilities\n\n  6. Funding \xe2\x80\x93 pursued current year program funding,\n  attempted to ensure stable funding over the POM.\n\n2/17/2005                                                    8\n\n\n\n\n                             38\n\x0c                      Recommendations\n\n  1. Change definitions:\n     a. delete \xe2\x80\x9cForce\xe2\x80\x9d from \xe2\x80\x9cForce Protection\xe2\x80\x9d and include\n  \xe2\x80\x9call-hazards\xe2\x80\x9d in JP 1-02.\n     b. add \xe2\x80\x9cAssurance\xe2\x80\x9d to JP 1-02.\n     c. change assessment eligible installations in DoDI\n  2000.16 to include DoD assets deemed \xe2\x80\x9ccritical\xe2\x80\x9d by\n  Combatant Commanders IAW CIP policy and standards.\n     d. delete \xe2\x80\x9coverarching DoD framework\xe2\x80\x9d from \xe2\x80\x9cMission\n  Assurance\xe2\x80\x9d in DoDD 3020.ff and include elements from\n  DoDD 5160.54 (Critical Asset Assurance Program, 1998).\n  2. Assign and modify program responsibilities:\n      a. organize all PROTECTION and ASSURANCE\n  activities under a \xe2\x80\x9creadiness\xe2\x80\x9d (preparedness) umbrella.\n      b. increase efforts concerning non-DoD assets and\n  adjust the Defense CIP program focus accordingly\n  (requires a change to DoDD 3020.ff, para. 3.1 and 4.1).\n      c. divide primacy for policy for PROTECTION and\n  ASSURANCE programs geographically \xe2\x80\x93\n         1. CONUS and the approaches (suggest ASD(HD) \xe2\x80\x93\n  aligns with \xe2\x80\x9ccharter\xe2\x80\x9d responsibilities).\n         2. OCONUS (suggest ASD(SO/LIC) - requires\n  modification of DoDD 5111.10).\n      d. publish ASD(HD) charter (DoDD 5111.13).\n\n2/17/2005                                                9\n\n\n\n\n                            39\n\x0c                         Recommendations\n\n  3. Develop DCIP as a complementary program that fills\n  gaps and minimizes duplication:\n      a. complete CIP assessment standards for non-DoD\n  assets and unique CIP standards for DoD assets.\n      b. develop CIP assessments that review non-DoD\n  assets and integrate with DTRA-JSIVA for DoD assets.\n      c. coordinate and fund \xe2\x80\x9cexpert type\xe2\x80\x9d assessments for\n  vital strategic DoD and non-DoD national assets.\n  4. Establish and modify responsibilities in the program:\n      a. develop desired outcomes and quantifiable metrics\n      b. develop and adopt standardized processes for\n  determining criticality.\n      c. define the program roles that demonstrate DCIP is a\n  Defense-wide program (broader than warfighting assets) \xe2\x80\x93\n         1. Protection and Assurance Field Activity \xe2\x80\x93\n             i. manage development and validation of\n  training, assessment, and accreditation standards\n             ii. maintain common assessment databases,\n  identify, prioritize, and track nonwarfighting assets\n         2. DTRA \xe2\x80\x93 conduct vulnerability assessments\n         3. Joint Staff - coordinate prioritization and funding\n  between Combatant Commands and Services\n         4. Combatant Commands - determine criticality and\n  track and prioritize identified mission-related vulnerabilities\n2/17/2005                                                       10\n\n\n\n\n                               40\n\x0c                        Recommendations\n\n     d. establish policy that allows for adequate sharing and\n  standard analysis and integration of threat information.\n  5. Continue to address all stakeholder concerns.\n  6. Establish CIP as a program in PPBE where ASD(HD):\n     a. develops organization and controls funding for\n  dedicated program staff and support to stakeholders.\n     b. obtains funding for assessments.\n     c. advocates for mitigation funding from a centralized,\n  prioritized database of risk-based vulnerabilities.\n\n  OVERARCHING RECOMMENDATION:\n     Separate CIP program and FSIVA development. Make\n  FSIVA part of a larger coordination effort involving multiple\n  OSD offices attempting to:\n     1. Incorporate and integrate all PROTECTION and\n  ASSURANCE assessment standards including DCIP,\n  JSIVA, IA, Physical Security, CBRNE, etc. into\n  comprehensive modular FSIVA standards.\n     2. Conduct coordinated assessments through master\n  scheduling including a common operating picture, modular\n  FSIVA standards, and data sharing with all concerned\n  parties to minimize the impact of multiple assessments on\n  commands, installations, and critical non-DoD assets.\n2/17/2005                                                     11\n\n\n\n\n                              41\n\x0c                                     Acronym List\n\n  AT       Anti-Terrorism (Program)\n  CBRNE    Chemical, Biological, Radiological, Nuclear, and\n           High Explosive (Weapons)\n  CIP      Critical Infrastructure Protection\n  CIPIS    Critical Infrastructure Protection Integration Staff\n  COOP     Continuity of Operations\n  COG      Continuity of Government\n  DTRA     Defense Threat Reduction Agency\n  DCIP     Defense Critical Infrastructure Program\n  DPO-MA Defense Program Office \xe2\x80\x93 Mission Assurance\n  EO       Executive Order\n  FSIVA    Full Spectrum Integrated Vulnerability\n           Assessment\n  GWOT     Global War on Terrorism\n  HSPD     Homeland Security Presidential Directive\n  IA       Information Assurance\n  JSIVA    Joint Staff Integrated Vulnerability Assessment\n  PL       Public Law\n  Title 5  U.S. Code, Title 5, \xe2\x80\x9cGovernment Organization and\n           Employees\xe2\x80\x9d\n  Title 10 U.S. Code, Title 10, \xe2\x80\x9cArmed Forces\xe2\x80\x9d\n  Title 32 U.S. Code, Title 32, \xe2\x80\x9cNational Guard\xe2\x80\x9d\n\n2/17/2005                                                         12\n\n\n\n\n                              42\n\x0cAppendix C \xe2\x80\x93 Management Comments\n\n\n\n\n                  43\n\x0c                          CIP Directorate, OASD(HD)\n                     Response to DoD IG Issues Related to\n       Evaluation of the Defense Critical Infrastructure Program (DCIP)\n\nIssue 1: Definition Changes\nDiscussion:\n   \xe2\x80\xa2   DoD(IG) states that the two terms used by DoD to define the primary activities associated\n       with Critical Infrastructure Protection, \xe2\x80\x9cforce protection\xe2\x80\x9d and \xe2\x80\x9cmission assurance,\xe2\x80\x9d do not\n       encompass all critical assets and potential threats.\n   \xe2\x80\xa2   IG states that anti-terrorism policy should require assessments at activities that are\n       deemed critical under CIP standards, regardless of the number of personnel impacted in\n       order to help integrate activities an mitigate risk.\nRecommendations:\n   1. Request the Director for Operational Plans and Joint Force Development, Joint Staff,\n      amend the term \xe2\x80\x9cForce Protection\xe2\x80\x9d in JP 1-02 by deleting the word \xe2\x80\x9cForce\xe2\x80\x9d and including\n      an \xe2\x80\x9call hazards\xe2\x80\x9d component to ensure consistency with the intent of\n      HSPD-8 [Homeland Security Presidential Directive #8].\n       Disagree. Force protection is principally concerned with the physical protection of DoD\n       personnel, equipment and facilities. While the definition states that force protection\n       includes the protection of information, most in the information management community\n       agree that information assurance is outside the AOR [Area of Responsibility] of the force\n       protection community. Mission assurance is defined broadly enough to address all-\n       hazards even though its focus is on assuring critical capabilities.\n   2. Amend the term \xe2\x80\x9cMission Assurance\xe2\x80\x9d in draft DoDD 3020.ff by deleting the word\n      \xe2\x80\x9cmission,\xe2\x80\x9d and refine the definition to include specific policy considerations addressed in\n      DoDD 5160.54.\n       Disagree. DEPSECDEF\xe2\x80\x99s [Deputy Secretary of Defense] approval of DoDD 3020.40\n       establishes a definition for the term \xe2\x80\x9cmission assurance.\xe2\x80\x9d DoDD 5160.54 is cancelled.\n   3. Request the Director for Operational Plans and Joint Force Development, Joint Staff\n      include the revised \xe2\x80\x9cassurance\xe2\x80\x9d definition in JP 1-02.\n       Agree.\n   4. ASD (SO/LIC) [Assistant Secretary of Defense for Special Operations and Low-Intensity\n      Conflict] should amend DoDI 2000.16, Para E3.1.1.26.7, \xe2\x80\x9cAntiterrorism Site Criteria,\xe2\x80\x9d to\n      allow Combatant Commanders to conduct vulnerability assessments of those DoD assets\n      deemed critical under CIP standards.\n       Agree.\n       [Inspector General Note: We removed this recommendation from the final report.]\n\n\n\n\n                                               44\n\x0cIssue 2: Program Responsibilities\nDiscussion:\n    \xe2\x80\xa2    IG used HSPD-8, National Preparedness to develop recommendations and used the term\n         \xe2\x80\x9creadiness\xe2\x80\x9d. HSPD-8 uses \xe2\x80\x9cpreparedness\xe2\x80\x9d in lieu of \xe2\x80\x9creadiness\xe2\x80\x9d, defining it as \xe2\x80\x9cthe\n         existence of plans, procedures, policies, training, and equipment necessary at the Federal,\n         State, and local level to maximize the ability to prevent, respond to, and recover from\n         major events.\xe2\x80\x9d\n    \xe2\x80\xa2    The IG uses the DoD JP 1-02 definition of \xe2\x80\x9creadiness\xe2\x80\x9d, which is limited to military\n         forces, and unit and joint readiness. This definition is different from the one used in the\n         National Response Plan.\n    \xe2\x80\xa2    IG asserts that CIP protection and assurance contribute to \xe2\x80\x9creadiness\xe2\x80\x9d, but DCIP\n         protection and assurance are not limited to military forces\xe2\x80\x99 ability to execute the National\n         Military Strategy.\n    \xe2\x80\xa2    IG cites the JP 1-02 definition for \xe2\x80\x9cprotection\xe2\x80\x9d as derived from a narrower concept of\n         force protection.\n    \xe2\x80\xa2    The JP 1-02 definitions are insufficient and tailored to the originators\xe2\x80\x99 desired contexts\n         desired.\nRecommendations:\n    1. Organize Protection and Assurance programs and initiatives under a common\n       overarching concept of all-hazards preparedness.\n         Partially Agree. Agree that an overarching concept is needed to clarify responsibilities\n         for protection and assurance policy and programs. However, \xe2\x80\x9creadiness,\xe2\x80\x9d in the context\n         of JP 1-02 1 , is insufficient for DCIP and mission assurance because the definition is too\n         narrowly circumscribed. In HSPD-7, \xe2\x80\x9cpreparedness\xe2\x80\x9d includes military forces, public and\n         private infrastructure as well as plans, procedures, policies, training, and equipment\n         needed to prevent, respond to, and recover from major events. In this context,\n         preparedness addresses interdependency or resiliency issues.\n    2. Complete DoDD 5111.13, amend DoDD 5111.10 to reflect geographic division of\n       responsibility for protection and assurance policy and programs between HD [Homeland\n       Defense] and SOLIC [Special Operations and Low Intensity Conflict].\n         Disagree. HSPD-7, HSPD-8, and the DCIP require policy that acknowledges the\n         importance of interdependencies between and among critical infrastructure assets. The\n         President\xe2\x80\x99s directives imply that geographic and jurisdictional boundaries are irrelevant\n         to critical infrastructures, like transportation, information or energy, which exist across\n         such boundaries. The IG use of the term \xe2\x80\x9creadiness\xe2\x80\x9d with its narrow focus on military\n\n\n1\n  Joint Publication 1-02, \xe2\x80\x9cDOD Dictionary of Military and Associated Terms.\xe2\x80\x9d The ability of US military forces to\nfight and meet the demands of the national military strategy. Readiness is the synthesis of two distinct but\ninterrelated levels. a. unit readiness--The ability to provide capabilities required by the combatant commanders to\nexecute their assigned missions. This is derived from the ability of each unit to deliver the outputs for which it was\ndesigned. b. joint readiness--The combatant commander's ability to integrate and synchronize ready combat and\nsupport forces to execute his or her assigned missions. See also military capability; national military strategy.\n\n\n                                                          45\n\x0c           forces and Joint/Unit readiness 2 is unsuitable for critical infrastructure policy and program\n           responsibilities. Dividing OSD responsibilities within OSD by geography would\n           decrease the effectiveness of critical infrastructure efforts.\n\nIssue 3: Assessment Standards\nDiscussion:\n       \xe2\x80\xa2   IG report states that \xe2\x80\x9cas of February 2005, the Defense Critical Infrastructure Program\xe2\x80\x9d\n           did not provide sufficient \xe2\x80\x9cdeployed capabilities\xe2\x80\x9d. In addition, prioritization of efforts and\n           application of program resources was not optimized to address non-war fighting critical\n           assets.\n       \xe2\x80\xa2   IG report states that the Full Spectrum Integrated Vulnerability Assessment (FSIVA)\n           standards document has a number of deficiencies.\n       \xe2\x80\xa2   IG report states, \xe2\x80\x9cHomeland Security Presidential Directive No. 7 explicitly assigns\n           responsibility to the DoD for protection of the Defense Industrial Base (DIB).\xe2\x80\x9d However,\n           HSPD-7 does not state that DoD is responsible for the protection of the DIB. HSPD-7\n           correctly assigns DoD responsibility for the DIB as the Sector Specific Agency to\n           coordinate infrastructure protection activities for the DIB.\nRecommendations:\n       1. Complete CIP assessment standards for non-DoD assets and unique CIP standards for\n          DoD assets.\n           Agree.\n       2. Develop CIP assessments that review non-DoD assets and integrate with Defense Threat\n          Reduction Agency-Joint Staff Integrated Vulnerability Assessment (DTRA-JSIVA) for\n          DoD assets.\n           Partially Agree. DTRA-JSIVA assessments support force protection. The standards for\n           JSIVAs are mature, but are limited to the physical security of people, facilities and\n           equipment within the DoD installation perimeter. DCIP requires assessments to address\n           physical, cyber, personnel and procedural considerations. DCIP requires non-DoD-\n           owned critical asset assessments to determine the facility or institution economic\n           viability, and to identify supply chain relationships.\n       3. Coordinate and fund \xe2\x80\x9cexpert type\xe2\x80\x9d assessments for vital strategic DoD and non-DoD\n          national assets.\n           Agree.\n       4. Increase Critical Infrastructure Protection program activities to assure the availability of\n          DoD non-war fighting, National Guard, and non-DoD assets critical to DoD missions.\n           Agree.\n\nIssue 4: Program Roles\nDiscussion:\n\n2\n    ibid\n\n\n                                                     46\n\x0c   \xe2\x80\xa2     The Report states that the \xe2\x80\x9cDefense Critical Infrastructure Protection (DCIP) program\n         organization was inadequate to achieve desired homeland defense strategic objectives.\xe2\x80\x9d\n   \xe2\x80\xa2     The Report states that ASD(HD) responsibilities are limited to U.S. Territories and the\n         approaches. DoDD 3020.40 now assigns the global DCIP mission to the ASD(HD). As\n         such, the report conflicts with the global infrastructure protection responsibility of the\n         Director, CIP. Furthermore, critical infrastructure addresses physical and cyber nodes\n         and links in a supply chain of products and services that transcend geographic and\n         jurisdictional boundaries.\nRecommendations:\n   1. The Under Secretary of Defense for Policy should establish a field activity responsible\n      for implementing and monitoring Department protection and assurance programs.\n         Partially agree. ASD(HD) is considering a broader set of requirements for a Field\n         Activity to support the overall HD mission, to include those for implementing and\n         monitoring protection and assurance programs.\n         Primary responsibilities for the Field Activity would include:\n           a. The development, validation, and accreditation of assessment standards and training\n              standards for assessors;\n           Agree\n           b. The standardization, consolidation, and storage of facility infrastructure and\n              vulnerability assessment data;\n           Agree\n           c. The analysis of data and identification of protection and assurance issues with\n              impact across non-war fighting assets or DoD wide applicability; and\n           Agree\n           d. The obtaining, integration, and sharing of relevant threat data with assessing\n              organizations.\n           Agree\n       2. The Assistant Secretary of Defense for Homeland Defense should publish policy that\n          assigns responsibility for the:\n           a. Conducting of Defense Critical Infrastructure program vulnerability assessments\n           Agree\n           b. Standardization of definitions and criteria used to determine asset criticality; and\n           Agree\n           c. Development of quantifiable program metrics.\n           Agree\n\n(Issue 5 was not addressed by the DoD IG.)\n\n\n\n\n                                                  47\n\x0cIssue 6: Funding DCIP in PPBE\nDiscussion:\n   \xe2\x80\xa2   The Report states that \xe2\x80\x9cDCIP planning and programming was inadequate to reduce\n       critical vulnerabilities.\xe2\x80\x9d The DCIP concept is that asset owners/operators are responsible\n       for resourcing and making changes, to the assets for which they are responsible, to\n       include vulnerability mitigation and remediation. The DCIP provides asset owners with\n       justification for funding requirements submitted to the PPBE system. Asset\n       owners/operators determine which actions are most appropriate to address vulnerabilities.\n   \xe2\x80\xa2   The Report states that a significant concern is how DCIP programs, at the command\n       level, lack established policy addressing program and mitigation funding. DoDD 3020.40\n       provides overall program direction and guidance. Asset owners/operators are responsible\n       for mitigation and remediation funding.\n   \xe2\x80\xa2   The Report states that programmatic inclusion in the PPBE system was necessary to\n       develop the program. In addition, DoD components must submit funding requests to the\n       PPBE system.\n   \xe2\x80\xa2   The Report states that lack of stable funding was detrimental to long term assessment\n       planning. Additionally, installation commanders were frustrated by the insufficient\n       resources used to mitigate vulnerabilities. Consistent with DoDD 3020.40, DoD\n       components must resource their DCIP activities including component vulnerability\n       assessments for identified critical assets.\n   \xe2\x80\xa2   The Report states that decentralized funding and a lack of centralized priorities or\n       oversight discourage mitigation efforts. The Director, CIP is implementing a process to\n       prioritize assessments of DoD strategic critical assets. DoD components may fund and\n       prioritize DCIP activities within their respective areas of responsibility, consistent with\n       the Secretary\xe2\x80\x99s direction and guidance.\nRecommendations:\n   1. Establish the Critical Infrastructure Protection program in the PPBE system and control\n      and coordinate program implementation funding.\n       Agree.\n   2. Advocate for mitigation funding and a consolidated, prioritized database of risk-based\n      vulnerabilities identified through a coordinated assessment process.\n       Agree.\n\n\n\n\n                                                48\n\x0cAppendix D \xe2\x80\x93 Acronym List\nASD(HD)   Assistant Secretary of Defense for Homeland Defense\nAT        Antiterrorism (Program)\nCIP       Critical Infrastructure Protection\nCONUS     Continental United States (48 Contiguous States)\nDTRA      Defense Threat Reduction Agency\nDCIP      Defense Critical Infrastructure Program\nDPO-MA    Defense Program Office for Mission Assurance\nIG        Inspector General\nJP        Joint Publication\nJSIVA     Joint Staff Integrated Vulnerability Assessment\nOCONUS    Outside the Continental United States\nOSD       Office of the Secretary of Defense\nPPBE      Planning, Programming, Budgeting, Execution\nPDD       Presidential Decision Directive\nY2K       Year 2000\n\n\n\n\n                                          49\n\x0cThis Page Intentionally Left Blank\n\n\n\n\n                50\n\x0cAppendix E \xe2\x80\x93 Report Distribution\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Policy\n  Assistant Secretary of Defense for Homeland Defense\n  Assistant Secretary of Defense for Special Operations and Low-Intensity Conflict\n\nDepartment of the Army\nInspector General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\n\nDepartment of the Air Force\nInspector General, Department of the Air Force\n\nJoint Staff and Unified Commands\nDirector of the Joint Staff\n\nOther Defense Organizations\nDefense Contract Management Agency\nDefense Threat Reduction Agency\n\nCongressional Committees and Subcommittees, Chairman and\nRanking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Finance, and Accountability, Committee on\n  Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International Relations,\n  Committee on Government Reform\n\n\n\n\n                                                 51\n\x0cTHE MISSION OF THE OIG DoD\n\nThe Office of Inspector General of the Department of Defense was established by\nCongress as one of the \xe2\x80\x9cindependent and objective units [within listed \xe2\x80\x98establishments,\xe2\x80\x99\nincluding the Department of Defense] to conduct and supervise audits and investigations\nrelating to the programs and operations of those establishments.\xe2\x80\x9d As the principal\nadvisor to the Secretary of Defense in all Inspector General matters, the Inspector\nGeneral serves as an extension of \xe2\x80\x9cthe eyes, ears, and conscience\xe2\x80\x9d of the Secretary. In\nsupport of the mission of the Department of Defense, the Office of the Inspector General\nendeavors to:\n\n         \xe2\x80\xa2   \xe2\x80\x9cProvide leadership\xe2\x80\xa6to promote economy, efficiency and effectiveness;\xe2\x80\x9d\n         \xe2\x80\xa2   Prevent and detect \xe2\x80\x9cfraud, waste, and abuse;\xe2\x80\x9d\n         \xe2\x80\xa2   \xe2\x80\x9cProvide policy direction for audits and investigations;\xe2\x80\x9d\n         \xe2\x80\xa2   \xe2\x80\x9cProvide a means for keeping the [Secretary of Defense] and the Congress\n             fully and currently informed about problems and deficiencies;\xe2\x80\x9d and\n         \xe2\x80\xa2   \xe2\x80\x9cGive particular regard to the activities of the internal audit, inspection, and\n             investigative units of the military departments with a view toward avoiding\n             duplication and insuring effective coordination and cooperation.\xe2\x80\x9d\n\n\n\nTEAM MEMBERS\n\nThe Homeland Defense Division, Inspections and Evaluations Directorate, Office of the\nDeputy Inspector General for Inspections and Policy, Office of Inspector General for the\nDepartment of Defense prepared this report. Personnel who contributed to the report\nwere Col Forrest R. Sprester, Division Chief; Mr. George P. Marquardt, Team Leader;\nMr. Joe A. Baker; Lt Col Michael T. Luft; Lt Col John N. Camperlengo; Lt Col Heidie R.\nRothschild; and Maj Chad W. Lusher.\n\n\n\nADDITIONAL REPORT COPIES\n\nContact us by phone, fax, or e-mail:\n Inspections and Evaluations Directorate, Deputy Inspector General for Inspections and Policy\n COM: 703.604.8772 (DSN 664.8772)\n FAX: 703.604.9769\n E-MAIL: crystalfocus@dodig.mil\n\x0c\x0c\x0c"